One of the things I absolutely love about my job is being
thrown into the deep end of the rapids with little to no time to prepare given the opportunity to try new things and new technologies, pushing me out of my comfort zone. It normally goes okay.
Case in point: a client of ours recently was investigating WinRM and whether or not it was secure, leading me down a rabbit hole of Certificates, Enterprise CA’s, SSL Handshakes, WireShark and more.
At the end of the initiative, I was asked to write up a summary to answer the question
In this post, I’ll talk us through my findings after days of research and testing, stepping through the default settings and some edge cases, hopefully covering the minimum you need to know in a short little post.
Consider the following scenario: two computers, both members of the same domain. We run
winrm quickconfig on both computers and don’t take any additional steps to lock things down. Is it secure? Are credentials or results passed in the clear? Until stated otherwise, assume HTTP until I mention it again.
From the very first communications and with no additional configuration, connections between the two computers will use Kerberos for initial authentication. If you’re not familiar with it, the bare minimum to know is that Kerberos is a trusted mechanism which ensures that credentials are strongly protected, and has a lot of nifty features like hashing and tickets which are used to ensure that raw credentials never go over the wire. So, domain joined computers do not pass creds in the clear. Continue reading