STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 23 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft Windows Server 2025 Security Technical Implementation Guide

V-285322

CAT II (Medium)

Windows Server 2025 OpenSSH public host key files must conform to minimum requirements.

Rule ID

SV-285322r1211194_rule

STIG

Microsoft Windows Server 2025 Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366

Discussion

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Check Content

If OpenSSH is not installed on the system, this requirement is not applicable.

Verify the SSH public host key files permissions with the following command:

C:\ > Get-ChildItem -Path "C:\ProgramData\ssh" -Filter "*key.pub" -File | ForEach-Object { icacls.exe $_.FullName }

C:\ProgramData\ssh\ssh_host_ecdsa_key.pub BUILTIN\Administrators:(F)
                                          NT AUTHORITY\SYSTEM:(F)

Successfully processed 1 files; Failed processing 0 files
C:\ProgramData\ssh\ssh_host_ed25519_key.pub BUILTIN\Administrators:(F)
                                            NT AUTHORITY\SYSTEM:(F)

Successfully processed 1 files; Failed processing 0 files
C:\ProgramData\ssh\ssh_host_rsa_key.pub BUILTIN\Administrators:(F)
                                        NT AUTHORITY\SYSTEM:(F)

Successfully processed 1 files; Failed processing 0 files

If any public host key file does not have the default permission as in the example output, this is a finding.

Fix Text

Maintain the permissions of the public host key files as follows:

BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)