Windows Server 2025 OpenSSH must not allow blank passwords.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
highV-285316SRG-OS-000106-GPOS-00053WN25-SH-000040SV-285316r1211176_rule2026-05-281

Description

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords must never be used in operational environments. Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00228

ℹ️ Check

If OpenSSH is not installed on the system, this requirement is not applicable. Verify system remote access using OpenSSH prevents logging on with a blank password with the following command: C:\ > Get-Content "$env:ProgramData\ssh\sshd_config" | Select-String -Pattern '^\s*PermitEmptyPasswords' PermitEmptyPasswords no If the "PermitEmptyPasswords" keyword is set to "yes", is missing, or is commented out, this is a finding.

✔️ Fix

To configure the system, add or modify the following line in the "$env:ProgramData/ssh/sshd_config" file: PermitEmptyPasswords no Restart the OpenSSH service for the settings to take effect.