Revisions to Windows SSH: Permissions for 'private-key' are too open

Modified GUI steps to be more granular from user feedback

Source Link

edited Jul 14, 2023 at 11:44

8.2k
7
30
50

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: TheChange → Select a principal → Enter key's user → OK
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control Set key's user to Full Control if not already set
  1. Select user → Modify → Full Control → OK
    OR
  2. Add → Select a principal → Enter key's user → OK
4. OK → OK

Cmd:

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    :: # Key's within %UserProfile%:
         Icacls %Key% /c /t /Grant %UserName%:F

    :: # Key's outside of %UserProfile%:
         TakeOwn /F %Key%
         Icacls %Key% /c /t /Grant:r %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  # Key's within $env:UserProfile:
    Icacls $Key /c /t /Grant ${env:UserName}:F

   # Key's outside of $env:UserProfile:
     TakeOwn /F $Key
     Icacls $Key /c /t /Grant:r ${env:UserName}:F

# Remove All Users, except for Owner:
  Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: The key's user
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control

Cmd:

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    :: # Key's within %UserProfile%:
         Icacls %Key% /c /t /Grant %UserName%:F

    :: # Key's outside of %UserProfile%:
         TakeOwn /F %Key%
         Icacls %Key% /c /t /Grant:r %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  # Key's within $env:UserProfile:
    Icacls $Key /c /t /Grant ${env:UserName}:F

   # Key's outside of $env:UserProfile:
     TakeOwn /F $Key
     Icacls $Key /c /t /Grant:r ${env:UserName}:F

# Remove All Users, except for Owner:
  Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: Change → Select a principal → Enter key's user → OK
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control if not already set
  1. Select user → Modify → Full Control → OK
    OR
  2. Add → Select a principal → Enter key's user → OK
4. OK → OK

Cmd:

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    :: # Key's within %UserProfile%:
         Icacls %Key% /c /t /Grant %UserName%:F

    :: # Key's outside of %UserProfile%:
         TakeOwn /F %Key%
         Icacls %Key% /c /t /Grant:r %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  # Key's within $env:UserProfile:
    Icacls $Key /c /t /Grant ${env:UserName}:F

   # Key's outside of $env:UserProfile:
     TakeOwn /F $Key
     Icacls $Key /c /t /Grant:r ${env:UserName}:F

# Remove All Users, except for Owner:
  Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

Added missing curly brackets to PowerShell variable ; Added missing attribute to /remove command

Source Link

edited Aug 20, 2021 at 12:43

JW0914

8.2k
7
30
50

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: The key's user
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control

Cmd:

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    :: # Key's within %UserProfile%:
         Icacls %Key% /c /t /Grant %UserName%:F

    :: # Key's outside of %UserProfile%:
         TakeOwn /F %Key%
         Icacls %Key% /c /t /Grant:r %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key%  /c /t /Remove Administrator:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  # Key's within $env:UserProfile:
    Icacls $Key /c /t /Grant ${env:UserName}:F

   # Key's outside of $env:UserProfile:
     TakeOwn /F $Key
     Icacls $Key /c /t /Grant:r ${env:UserName}:F

# Remove All Users, except for Owner:
  Icacls $Key  /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: The key's user
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control

Cmd:

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    Icacls %Key% /c /t /Grant %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key%  /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  Icacls $Key /c /t /Grant $env:UserName:F

# Remove All Users, except for Owner:
  Icacls $Key  /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: The key's user
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control

Cmd:

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    :: # Key's within %UserProfile%:
         Icacls %Key% /c /t /Grant %UserName%:F

    :: # Key's outside of %UserProfile%:
         TakeOwn /F %Key%
         Icacls %Key% /c /t /Grant:r %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  # Key's within $env:UserProfile:
    Icacls $Key /c /t /Grant ${env:UserName}:F

   # Key's outside of $env:UserProfile:
     TakeOwn /F $Key
     Icacls $Key /c /t /Grant:r ${env:UserName}:F

# Remove All Users, except for Owner:
  Icacls $Key /c /t /Remove:g Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

Updated with separate sections for Cmd and PowerShell (latter not acting as expected with "cmd /c" or "/k")

Source Link

edited Jul 22, 2021 at 16:32

JW0914

8.2k
7
30
50

Keys must only be accessible to the user they're intended for and no other account, service, or group:.

GUI:
[File] Properties → Security → Advanced
- [File] Properties → Security → Advanced
  1. Owner: The key's user
  2. Permission Entries: Remove all except for the key's user
  3. Set key's user to Full Control
1. Owner: The key's user
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control

CLICmd:

:: # Set Variable:
   Cmd /c Set Key="C:\Path\to\keyfile"

:: # Remove Inheritance:
   Cmd /c Icacls %Key% /c /t /Inheritance:d

:: # Set Ownership to Owner:
   Cmd /c Icacls %Key% /c /t /Grant %UserName%:F

:: # Remove All Users, except for Owner:
   Cmd /c Icacls %Key% /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

:: # Verify:
   Cmd /c Icacls %Key%

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    Icacls %Key% /c /t /Grant %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key%  /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  Icacls $Key /c /t /Grant $env:UserName:F

# Remove All Users, except for Owner:
  Icacls $Key  /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

Keys must only be accessible to the user they're intended for and no other account, service, or group:

GUI:
- [File] Properties → Security → Advanced
  1. Owner: The key's user
  2. Permission Entries: Remove all except for the key's user
  3. Set key's user to Full Control

CLI:

:: # Set Variable:
   Cmd /c Set Key="C:\Path\to\keyfile"

:: # Remove Inheritance:
   Cmd /c Icacls %Key% /c /t /Inheritance:d

:: # Set Ownership to Owner:
   Cmd /c Icacls %Key% /c /t /Grant %UserName%:F

:: # Remove All Users, except for Owner:
   Cmd /c Icacls %Key% /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

:: # Verify:
   Cmd /c Icacls %Key%

Keys must only be accessible to the user they're intended for and no other account, service, or group.

GUI:
[File] Properties → Security → Advanced
1. Owner: The key's user
2. Permission Entries: Remove all except for the key's user
3. Set key's user to Full Control

Cmd:

::# Set Key File Variable:
    Set Key="%UserProfile%\.ssh\id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    Icacls %Key% /c /t /Grant %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key%  /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

PowerShell:

# Set Key File Variable:
  New-Variable -Name Key -Value "$env:UserProfile\.ssh\id_rsa"

# Remove Inheritance:
  Icacls $Key /c /t /Inheritance:d

# Set Ownership to Owner:
  Icacls $Key /c /t /Grant $env:UserName:F

# Remove All Users, except for Owner:
  Icacls $Key  /c /t /Remove Administrator "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

# Verify:
  Icacls $Key

# Remove Variable:
  Remove-Variable -Name Key

Added missing "Cmd /c" to variable command ; Updated markdown and grammar

Source Link

edited Apr 21, 2021 at 12:36

JW0914

8.2k
7
30
50

Loading

Added clarity for "key" variable since it was creating confusion

Source Link

edited Aug 31, 2020 at 12:20

JW0914

8.2k
7
30
50

Loading

Added # to make comments look like comments

Source Link

edited Dec 24, 2019 at 14:15

JW0914

8.2k
7
30
50

Loading

Added removal of "Authenticated Users"

Source Link

edited Jun 14, 2019 at 11:06

JW0914

8.2k
7
30
50

Loading

Added syntax highlighting and verify command

Source Link

edited Jul 19, 2018 at 2:51

JW0914

8.2k
7
30
50

Loading

Added verification command to the removal of users to ensure no one, but owner, has permissions

Source Link

edited Jul 19, 2018 at 0:49

JW0914

8.2k
7
30
50

Loading

Source Link

created Jun 8, 2018 at 15:34

JW0914

8.2k
7
30
50

Loading

Stack Exchange Network

Return to Answer