Product Name
CIS-CAT Pro Assessor v4
Product Version
4.13.0+
Date
Problem
| Info |
|---|
If we use a Window’s local or domain account for the remote assessment with WinRM over HTTP, could we enjoy the same level of encryption of communication as HTTPS? |
Solution
Read about WinRM security in this official Microsoft document to help your organization decide the best protocol.
Specifically see the Ongoing Communication sub-header:
Ongoing Communication
Once initial authentication is complete, the WinRM encrypts the ongoing communication. When connecting over HTTPS, the TLS protocol is used to negotiate the encryption used to transport data. When connecting over HTTP, message-level encryption is determined by initial authentication protocol used.
Basic authentication provide no encryption.
NTLM authentication uses an RC4 cipher with a 128-bit key.
Kerberos authentication encryption is determined by the
etypein the TGS ticket. This is AES-256 on modern systems.CredSSP encryption is uses the TLS cipher suite that was negotiated in the handshake.
| Note |
|---|
The Kerberos section defines whether NTLM or AES will be used. NTLM is less secure than AES. Using Kerberos (AES) is determined by if you can connect to a domain server using its computer name OR |
Keywords; winrm encryption secure NTLM AES
Content by Label
| Filter by label (Content by label) | ||||||
|---|---|---|---|---|---|---|
|
| Page Properties | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|