Quickstart: Apply SSH Posture Control to a Windows Server test machine

In the following steps, you will use Azure Policy to deploy SSH Posture Control settings to a test Windows Server 2019, 2022, or 2025 VM.

For background and conceptual reference, see What is SSH Posture Control?.

For a more advanced walkthrough, see Manage your sshd settings using SSH Posture Control.

If you don't have an Azure account, you can create a free trial.

Caution

• This Quickstart demonstrates applying a restrictive sshd configuration intended for a new disposable test machine. If you were to apply this configuration to other machines you could lock outself out. When trying out security controls such as SSH Posture Control, use an isolated sandbox environment such that even a mistake in policy assignment would not re-configure unintended machines.

Prerequisites

Before attempting the steps in this article, ensure that you already have:

1. An Azure account where you have rights to create a resource group, policy assignments, and a virtual machine.
2. Your preferred environment for interacting with Azure, such as:
   1. Azure Cloud Shell (recommended)
      1. Note: Examples will use bash mode. Readers may adapt examples to other shell environments including PowerShell.
   2. or your own shell environment with Azure CLI installed and signed in
   3. or Azure Portal in a web browser

Check that you are signed in to your test environment

Azure portal

1. Use the account information in the portal to see your current context.

   

Azure CLI

1. You can use az account show to see your current context. To sign in or change contexts, use az account login.

Create a resource group

The choice of eastus location in this example is not significant. You can use any available Azure location.

Azure portal

Azure CLI

az group create --name sshdemo01 --location eastus

Assign the policy to the resource group

This Quickstart applies audit-and-configure behavior, using the built-in policy definition [Preview]: Configure SSH security posture for Windows.

The example assignment will rely largely on SSH Posture Control defaults (e.g., port 22, root access not allowed), with limited customization (banner text).

Azure portal

1. Navigate to Policy, then Definitions
2. Filter the list to find and select [Preview]: Configure SSH security posture for Windows
3. From the policy definition page, click Assign
4. In the policy assignment workflow
   1. Choose the new empty resource group (created earlier) as the scope.
   2. Optional: Choose a name for this policy assignment. By default the name of the policy definition is used.
   3. Optional: On the parameters tab, override a default value such as the "banner" value.
   4. Note: The rule 'port' should be configured with a single value to ensure proper functionality and compliance for auditing and configuring scenarios.
   5. Complete the creation of the policy assignment.

Azure CLI

# Note this example is from a bash shell. Other shells may require different handling of special characters and variables
RG_ID=$(az group show --resource-group sshdemo01 --query id --output tsv)
az policy assignment create --policy "42830b63-79aa-4ea5-85dc-6baa719d7d7c" --name "Configure SSH Posture test machine" --scope "$RG_ID" --params '{"banner":{"value":"CONTOSO SYSTEMS. Unauthorized use will be prosecuted."}}' --mi-system-assigned --role "Guest Configuration Resource Contributor" --identity-scope "$RG_ID" --location eastus

Caution

Whether you used the Portal or CLI, inspect the scope of the policy assignment you just created before proceeding. If the scope was mistakenly set to anything other than the new empty resource group created earlier, it should be corrected immediately to avoid configuing unintended machines.

Create a test VM and prepare it for Machine Configuration

Azure portal

1. Create a Windows Server 2019, 2022, or 2025 virtual machine
2. Add a system assigned identity, if not already present
3. Add the Machine Configuration extension (labeled in portal as Azure Machine Configuration for Windows)

Azure CLI

1. Create a Windows Server 2019, 2022, or 2025 VM with a system assigned identity

   az vm create --name sshdemo01 --resource-group sshdemo01 --image "MicrosoftWindowsServer:WindowsServer:2025-datacenter:latest" --assign-identity [system]
   

2. Install the Machine Configuration agent, as an Azure VM extension

   az vm extension set --resource-group sshdemo01 --vm-name sshdemo01 --name ConfigurationForWindows --publisher Microsoft.GuestConfiguration --enable-auto-upgrade
   

Tip

In this Quickstart the pre-requisites for Machine Configuration (VM has managed identity and agent extension) were addressed directly during VM creation. At scale, these pre-requisites can be satisfied using the Deploy prerequisites to enable Guest Configuration policies on virtual machines built-in Policy Initiative.

Take a break before proceeding

Several steps will now happen automatically. Each of these steps can take a few minutes. Accordingly, please wait at least 15 minutes before proceeding.

Observe results

Using the following steps, you can see:

1. How many machines are compliant (or not)
   1. Particularly useful at production scales, where you may have thousands of machines
2. Which machines are compliant (or not)
3. For a given machine, which individual rules are compliant (or not)

Azure portal

Azure CLI

The following Azure CLI examples are from a bash environment. To use another shell environment, you may need to adjust examples for line ending behavior, quote rules, character escaping, and so on.

1. How many machines are compliant (or not):

   QUERY="guestconfigurationresources
      | where name contains 'SecureShell'
      | extend complianceStatus = tostring(properties.complianceStatus)
      | summarize machineCount = count() by complianceStatus
   "
   az graph query -q "$QUERY" --query data --output table
   
   # Sample output from an environment with two machines:
   # 
   # complianceStatus machineCount
   # ---------------- ------------
   # Pending                     1
   # Compliant                   1
   

2. Which machines are compliant (or not):

   QUERY="guestconfigurationresources
   | where name contains 'SecureShell'
   | project 
       machine = split(properties.targetResourceId,'/')[-1],
       complianceStatus = properties.complianceStatus,
       lastComplianceStatusChecked = properties.lastComplianceStatusChecked
   "
   
   az graph query -q "$QUERY" --query data --output table
   
   # Sample output from an environment with two machines:
   #
   # machine     complianceStatus lastComplianceStatusChecked
   # -------     ---------------- ---------------------------
   # sshdemovm01 Compliant        2/15/2024 11:07:21 PM
   # sshdemovm02 Pending          1/1/0001 12:00:00 AM
   

3. For a given machine, which individual rules are compliant (or not):

   QUERY="GuestConfigurationResources
   | where name contains 'SecureShell'
   | project report = properties.latestAssignmentReport,
     machine = split(properties.targetResourceId,'/')[-1],
     lastComplianceStatusChecked=properties.lastComplianceStatusChecked
   | mv-expand report.resources
   | project machine,
     rule = report_resources.resourceId,
     ruleComplianceStatus = report_resources.complianceStatus,
     ruleComplianceReason = report_resources.reasons[0].phrase,
     lastComplianceStatusChecked
   "
   az graph query -q "$QUERY" --query data --output table
   # Sample output from an environment where audit-and-configure behavior was selected, such that all settings became compliant:
   # 
   # machine     rule                                                            ruleComplianceStatus     ruleComplianceReason
   # -------     ---------------                                                  ------               ------
   # sshdemovm01 Ensure permissions on /etc/ssh/sshd_config are configured        true            Access to '/etc/ssh/sshd_config' matches required ...
   # sshdemovm01 Ensure SSH is configured to meet best practices (protocol 2)     true            'Protocol 2' is found uncommented in /etc/ssh/sshd_config
   # sshdemovm01 Ensure SSH is configured to ignore rhosts                        true            The sshd service reports that 'ignorerhosts' is set to 'yes'
   # sshdemovm01 Ensure SSH LogLevel is set to INFO                               true            The sshd service reports that 'loglevel' is set to 'INFO'
   # sshdemovm01 Ensure SSH MaxAuthTries is configured                            true            The sshd service reports that 'maxauthtries' is set to '6'
   # sshdemovm01 Ensure allowed users for SSH access are configured               true            The sshd service reports that 'allowusers' is set to '*@*'
   # sshdemovm01 Ensure denied users for SSH are configured                       true            The sshd service reports that 'denyusers' is set to 'root'
   # sshdemovm01 Ensure allowed groups for SSH are configured                     true            The sshd service reports that 'allowgroups' is set to '*'
   # sshdemovm01 Ensure denied groups for SSH are configured                      true            The sshd service reports that 'denygroups' is set to 'root'
   # sshdemovm01 Ensure SSH host-based authenticationis disabled                  true            The sshd service reports that 'hostbasedauthentication' is ...
   # ...
   

Optional: Add more test machines to experience scale

In this article the policy was assigned to a resource group which was initially empty and then gained one VM. While this demonstrates the system working end-to-end, it doesn't provide a sense of at-scale operations. For example, in the policy assignment compliance view a pie chart of one machine can feel artificial.

Consider adding more test machines to the resource group, whether manually or via automation. These could be Azure VMs or Arc-enabled machines. As you see those machines come into compliance (or even fail) you can gain a keener sense of operationalizing SSH Posture Control at scale.

Optional: Manually inspect test machine to confirm results

When getting started with a new feature such as SSH Posture Control, it can be valuable to manually inspect the results out of band. This helps to build confidence and clarity. The steps in this article, for example, should have resulted in a modified logon banner configuration on your test VM. You can confirm this by attempting an SSH connection to the machine to see the banner, or by inspecting the sshd_config file.

Clean up resources

To avoid ongoing charges, consider deleting the resource group used in this article. For example, the Azure CLI command would be az group delete --name "sshdemo01"

---

Getting started with the Local Experience (PowerShell)

Prerequisites

• You must be running a production-signed Windows Server 2019, 2022, 2025 build on your device.
• The OSConfig PowerShell module must be installed on your server device. See Install the OSConfig PowerShell module for details.
• You must have sshd service installed and running following this guide: https://aka.ms/windows-openssh-install.

To apply a baseline, verify that the baseline is applied, remove a baseline, or view detailed compliance information for OSConfig in PowerShell, use the commands on the following tabs.

Configure

To apply the SSH scenario, run the following command:

Set-OSConfigDesiredConfiguration -Scenario SSH -Default

Verify

To verify that the SSH scenario is properly applied, run the following command:

Get-OSConfigDesiredConfiguration -Scenario SSH

Check compliance

To obtain the desired configuration details for the specified scenario, use the following commands. The output appears in a table format that includes the name of the configuration item, its compliance status, and the reason for noncompliance.

To check the compliance details for SSH scenairo, run the following command:

Get-OSConfigDesiredConfiguration -Scenario SSH | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

Custom Configuration

To custom the setting in SSH scenario, you can configure a setting with parameter '-Name' and '-Value':

Set-OSConfigDesiredConfiguration -Scenario SSH -Name Banner -Value "Custom Banner"

---

Next steps

Contact the team at Microsoft to provide feedback, features requests, etc.

Contact Us