STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 23 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft Windows Server 2025 Security Technical Implementation Guide

V-285316

CAT I (High)

Windows Server 2025 OpenSSH must not allow blank passwords.

Rule ID

SV-285316r1211176_rule

STIG

Microsoft Windows Server 2025 Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000766

Discussion

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords must never be used in operational environments. Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00228

Check Content

If OpenSSH is not installed on the system, this requirement is not applicable.

Verify system remote access using OpenSSH prevents logging on with a blank password with the following command:

C:\ > Get-Content "$env:ProgramData\ssh\sshd_config" | Select-String -Pattern '^\s*PermitEmptyPasswords'

PermitEmptyPasswords no

If the "PermitEmptyPasswords" keyword is set to "yes", is missing, or is commented out, this is a finding.

Fix Text

To configure the system, add or modify the following line in the "$env:ProgramData/ssh/sshd_config" file:

PermitEmptyPasswords no

Restart the OpenSSH service for the settings to take effect.