Rule ID
SV-285322r1211194_rule
Version
V1R2
CCIs
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
If OpenSSH is not installed on the system, this requirement is not applicable.
Verify the SSH public host key files permissions with the following command:
C:\ > Get-ChildItem -Path "C:\ProgramData\ssh" -Filter "*key.pub" -File | ForEach-Object { icacls.exe $_.FullName }
C:\ProgramData\ssh\ssh_host_ecdsa_key.pub BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
Successfully processed 1 files; Failed processing 0 files
C:\ProgramData\ssh\ssh_host_ed25519_key.pub BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
Successfully processed 1 files; Failed processing 0 files
C:\ProgramData\ssh\ssh_host_rsa_key.pub BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
Successfully processed 1 files; Failed processing 0 files
If any public host key file does not have the default permission as in the example output, this is a finding.Maintain the permissions of the public host key files as follows: BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F)