Rule ID
SV-285321r1211191_rule
Version
V1R2
CCIs
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
If OpenSSH is not installed on the system, this requirement is not applicable.
Verify the SSH private host key files permissions with the following command:
C:\ > Get-ChildItem -Path "C:\ProgramData\ssh" -Filter "*_key" -File | ForEach-Object { icacls.exe $_.FullName }
C:\ProgramData\ssh\ssh_host_ecdsa_key BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
Successfully processed 1 files; Failed processing 0 files
C:\ProgramData\ssh\ssh_host_ed25519_key BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
Successfully processed 1 files; Failed processing 0 files
C:\ProgramData\ssh\ssh_host_rsa_key BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
Successfully processed 1 files; Failed processing 0 files
If any private host key file does not have the default permission as in the example output, this is a finding.Maintain the permissions of the private host key files as follows: BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F)