Product Name
CIS-CAT Pro Assessor v4
Product Version
4.1343.0+
Date
Problem
Info |
---|
If we use a Window’s local or domain account for the remote assessment with WinRM over HTTP, could we enjoy the same level of encryption of communication as HTTPS? |
Solution
Read about WinRM security in this official Microsoft document to help your organization decide the best protocol.
Specifically see the Ongoing Communication sub-header:
Ongoing Communication
Once initial authentication is complete, the WinRM encrypts the ongoing communication. When connecting over HTTPS, the TLS protocol is used to negotiate the encryption used to transport data. When connecting over HTTP, message-level encryption is determined by initial authentication protocol used.
Basic authentication provide no encryption.
NTLM authentication uses an RC4 cipher with a 128-bit key.
Kerberos authentication encryption is determined by the
etype
in the TGS ticket. This is AES-256 on modern systems.CredSSP encryption is uses the TLS cipher suite that was negotiated in the handshake.
Note that the utilized authentication method cannot be enforced at the application (Assessor) level - it will instead default to whichever protocol is identified as being compatible between the Assessor host and the remote scan endpoint, even in Domain environments where Kerberos may be the default.
There is an option to limit the available methods via Group Policy, but keep in mind that disabling NTLM may negatively impact other applications and system processes that rely on it:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
Note |
---|
The Kerberos section defines whether NTLM or AES will be used. NTLM is less secure than AES. Using Kerberos (AES) is can be determined by if whether you can connect to a domain server using its computer name OR The latter case does NOT use kerberos Kerberos and will use NTLM instead of AES. |
Keywords; winrm encryption secure NTLM AES Kerberos
Content by Label
Filter by label (Content by label) | ||||||
---|---|---|---|---|---|---|
|
Page Properties | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||
|