Versions Compared

Old Version 2

changes.mady.by.user Elizabeth Chaharyn

Saved on

compared with

New Version Current

changes.mady.by.user Allan Cornwell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS-CAT Pro Assessor v4

Product Version

4.1343.0+

Date

Problem

Info

If we use a Window’s local or domain account for the remote assessment with WinRM over HTTP, could we enjoy the same level of encryption of communication as HTTPS?

Solution

Read about WinRM security in this official Microsoft document to help your organization decide the best protocol.

Specifically see the Ongoing Communication sub-header:

Ongoing Communication

Once initial authentication is complete, the WinRM encrypts the ongoing communication. When connecting over HTTPS, the TLS protocol is used to negotiate the encryption used to transport data. When connecting over HTTP, message-level encryption is determined by initial authentication protocol used.

  • Basic authentication provide no encryption.

  • NTLM authentication uses an RC4 cipher with a 128-bit key.

  • Kerberos authentication encryption is determined by the etype in the TGS ticket. This is AES-256 on modern systems.

  • CredSSP encryption is uses the TLS cipher suite that was negotiated in the handshake.

Note that the utilized authentication method cannot be enforced at the application (Assessor) level - it will instead default to whichever protocol is identified as being compatible between the Assessor host and the remote scan endpoint, even in Domain environments where Kerberos may be the default.

There is an option to limit the available methods via Group Policy, but keep in mind that disabling NTLM may negatively impact other applications and system processes that rely on it:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain

Note

The Kerberos section defines whether NTLM or AES will be used.

NTLM is less secure than AES.

Using Kerberos (AES) is can be determined by if whether you can connect to a domain server using its computer name OR
If , or if you can connect to a domain server using its IP address , (or connect to a workgroup server --> this ).

The latter case does NOT use kerberos Kerberos and will use NTLM instead of AES.

Keywords; winrm encryption secure NTLM AES Kerberos

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel in ( "sbp_fer" , "sbp_winrm" )

Copyright © 2020

Center for Internet Security®

Privacy Policy

Page Properties
hiddentrue

Action

Name(s)

Date

Linked tickethttps://cisecurity.atlassian.net/browse/

Jira Legacy
serverSystem Jira
serverIdb90ca2a8-9df7-3869-89db-c424866c1b16
keySUPPORT-17082

Created by

Nick Romanzo

Reviewed by

Approved by

Remove by