Rule ID
SV-285320r1212175_rule
Version
V1R2
CCIs
Service configuration files enable or disable features of their respective services, which if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
If OpenSSH is not installed on the system, this requirement is not applicable.
Verify the permissions of the "$env:ProgramData/ssh/sshd_config" file with the following command:
C:\ > icacls $env:ProgramData/ssh/sshd_config
c:\ProgramData\ssh NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files
If the "/etc/ssh/sshd_config" file does not have the default permission as in the example output, this is a finding.Maintain the permissions of the "$env:ProgramData/ssh/sshd_config" file as follows: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)