Is Assessor’s remote assessment with WinRM over HTTP as secure as the assessment with WinRM over HTTPS?

Owned by
Nick Romanzo
, created
Last updated: Jan 14, 2022 by
Chris Boldiston
1 min read

Product Name

CIS-CAT Pro Assessor v4

Product Version

4.13.0+

Date

Dec 16, 2021

Problem

If we use a Window’s local or domain account for the remote assessment with WinRM over HTTP, could we enjoy the same level of encryption of communication as HTTPS?

 

Solution

Read about WinRM security in this official Microsoft document to help your organization decide the best protocol.

Specifically see the Ongoing Communication sub-header:

Ongoing Communication

Once initial authentication is complete, the WinRM encrypts the ongoing communication. When connecting over HTTPS, the TLS protocol is used to negotiate the encryption used to transport data. When connecting over HTTP, message-level encryption is determined by initial authentication protocol used.

  • Basic authentication provide no encryption.

  • NTLM authentication uses an RC4 cipher with a 128-bit key.

  • Kerberos authentication encryption is determined by the etype in the TGS ticket. This is AES-256 on modern systems.

  • CredSSP encryption is uses the TLS cipher suite that was negotiated in the handshake.

 

The Kerberos section defines whether NTLM or AES will be used.

NTLM is less secure than AES.

Using Kerberos (AES) is determined by if you can connect to a domain server using its computer name OR
If you can connect to a domain server using its IP address, or connect to a workgroup server --> this case does NOT use kerberos and will use NTLM instead of AES

Keywords; winrm encryption secure NTLM AES

Content by Label

Copyright © 2020

Center for Internet Security®