nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

XM Authenticated scanning using SSH on Microsoft Windows

We recently released support for Exposure Management Authenticated Scanning on Windows, using SSH.

Here we will explain the steps needed to ensure your Windows host can be connected to via SSH.

This article applies to the following:

Windows Server 2019
Windows Server 2022
Windows Server 2025
Windows 10 / Windows 11 (optional)

Enabling SSH

To allow secure remote access to a windows device, the SSH service must be enabled.

Windows Server supports SSH through the built-in OpenSSH Server feature, which allows encrypted remote connections and command-line access. [learn.microsoft.com]

Follow the steps below to install and enable SSH on Windows Server.

1. Verify OpenSSH Server availability

Open PowerShell as Administrator and run:

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH.Server*'

If the state is "Installed", skip to step 3.
If the state is "NotPresent", proceed with installation.

2. Install OpenSSH Server

Run the following PowerShell command:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

This installs the built-in OpenSSH Server component available in modern Windows versions.

3. Start and enable the SSH service

After installation, start the SSH service from PowerShell:

Start-Service sshd

Set it to start automatically at system startup:

Set-Service -Name sshd -StartupType Automatic

This ensures SSH remains available after reboot.

Allow SSH traffic in Windows Firewall

To allow inbound SSH connections (default port 22), create a firewall rule using PowerShell:

New-NetFirewallRule -Name "OpenSSH-Server" `

-DisplayName "OpenSSH Server (sshd)" `

-Enabled True `

-Direction Inbound `

-Protocol TCP `

-Action Allow `

-LocalPort 22

This enables remote systems to connect via SSH.

Verify the SSH service

Check the service status from PowerShell:

Get-Service -Name sshd

Status should be Running

Test SSH connectivity

From a remote machine, connect using the following from a command prompt:

ssh <username>@<server-ip>

Example:

ssh administrator@192.168.1.10

Key-based authentication (recommended)

It is strongly recommended to use Key-based authentication instead of passwords, this is more secure in the long term.

Generate your private/public key pair as usual or by using instructions in step 1 Key-based authentication (recommended) | Radar | 4.0 | WithSecure User Guides

Append your public key to C:\ProgramData\ssh\administrators_authorized_keys file.

Note: standard users use personal C:\Users\username\.ssh\authorized_keys file, but for administrator permissions, global administrators_authorized_keys file is used.

Verify that the correct key is present, and the file is formatted correctly.

ssh-keygen -l -f "C:\ProgramData\ssh\administrators_authorized_keys"

Note: A very common mistake is using invalid line ending characters. Please make sure only Linux line endings “\n” are used.

Make sure file has correct permissions set

icacls "C:\ProgramData\ssh\administrators_authorized_keys"

Should only show two entries:

NT AUTHORITY\SYSTEM:(F)BUILTIN\Administrators:(F)

Verify that key authentication works

ssh –i <private_key> <username>@<server-ip>

Example:

ssh –i .ssh/id_ecdsa administrator@192.168.1.10

Additional notes

OpenSSH Server is included as a built-in feature starting from Windows Server 2019 and later.
SSH uses encrypted communication to protect data integrity and prevent eavesdropping.
The default SSH port is TCP 22, which must be allowed through firewall configuration.