AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam

Implement and Secure SSH Access on Hybrid Windows Servers

SSH (Secure Shell) is a protocol that provides administrators with a secure way to connect to and manage remote servers. In a hybrid Windows Server environment, you often need to handle servers both on-premises and in Azure. SSH uses strong encryption to protect data as it travels across untrusted networks. By enabling SSH on Windows servers, you gain a flexible and reliable method for remote management without relying on older, less secure protocols.

Windows Server 2019 and later include the Win32 OpenSSH feature, making it straightforward to install and configure the OpenSSH server. For older Windows Server versions or Azure virtual machines, you can deploy the OpenSSH VM extension using Azure PowerShell or the Azure CLI. After installation, you must open TCP port 22 in your network firewall and network security group to allow incoming SSH connections. Ensuring these network settings are correct is critical for reliable access.

One of the most important ways to secure SSH is to enforce key-based authentication instead of passwords. With key-based authentication, each user has a unique public/private key pair, which makes it much harder for attackers to guess credentials. To set up key-based login, you generate the key pair on your local workstation and then copy the public key to the server’s authorized_keys file. Protecting the private key on your device and rotating keys regularly further strengthens security.

To generate and deploy SSH keys:

• Use ssh-keygen on your local machine to create a new key pair.
• Transfer the public key to the server’s authorized_keys file.
• Confirm that you can connect and then disable password authentication on the server.

Integrating SSH with Azure AD or an SSH certificate authority helps you centralize identity and simplify access control. You can create conditional access policies that require multi-factor authentication or device compliance before a user can establish an SSH session. This integration not only strengthens security but also streamlines user management and auditing. Centralized policies ensure that only approved users on trusted devices can reach your servers.

Restricting inbound SSH traffic is essential to minimize exposure and comply with organizational rules. You can apply network security group (NSG) rules to limit access to specific IP ranges or subnets. Deploying Azure Bastion in your virtual network lets you connect over SSH without exposing VM public IP addresses. Finally, enabling session logging captures details of all SSH sessions for auditing and security reviews.

Key steps to tighten SSH access:

• Define NSG rules that allow only trusted IP addresses.
• Provision and configure an Azure Bastion host in your virtual network.
• Enable detailed session logging on the server to track user commands and access times.

Conclusion

Configuring and managing remote SSH access on hybrid Windows servers requires installing and enabling the OpenSSH feature, enforcing key-based authentication, and integrating with Azure AD for centralized identity control. You must also apply network security group rules and use Azure Bastion to limit exposure of management ports. Finally, turning on session logging ensures you have an audit trail of all SSH activity. Together, these steps create a secure and well-monitored environment for remote server management.