Windows Server 2025 OpenSSH must not allow blank passwords.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-285316 | SRG-OS-000106-GPOS-00053 | WN25-SH-000040 | SV-285316r1211176_rule | 2026-05-28 | 1 |
Description
If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords must never be used in operational environments.
Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00228
ℹ️ Check
If OpenSSH is not installed on the system, this requirement is not applicable.
Verify system remote access using OpenSSH prevents logging on with a blank password with the following command:
C:\ > Get-Content "$env:ProgramData\ssh\sshd_config" | Select-String -Pattern '^\s*PermitEmptyPasswords'
PermitEmptyPasswords no
If the "PermitEmptyPasswords" keyword is set to "yes", is missing, or is commented out, this is a finding.
✔️ Fix
To configure the system, add or modify the following line in the "$env:ProgramData/ssh/sshd_config" file:
PermitEmptyPasswords no
Restart the OpenSSH service for the settings to take effect.