Score:0

Does Windows Server 2012 R2 really support only one server signature algorithm?

sk flag

I'm neither a windows expert nor an information security expert. Recently I inherited some Windows server 2012 R2 hosts that I have to manage. For reasons explained in this other post I realized (using sslscan with the --show-sigs option against the winrm port 5986) that all those hosts only support one Server Signature Algorithm, namely rsa_pkcs1-sha1 (see screenshot below).

enter image description here

  • Is it true that this is the only supported Server Signature Algorithm in Windows Server 2012 R2?
  • Is it possible to add more algorithms to the list? If yes, how?
Score:1
us flag

I don't believe this has anything to do with Windows operating system version. WinRM on the server you are scanning is configured to use a specific certificate for HTTPS. The certificate which is configured was create using SHA-1 algorithm. So what you need to do is to get a new certificate and then configure WinRM to use it.

It might be worth checking if a suitable certificate is already installed on the server, so you might not even need to request a new one.

Another thing to consider is that changes like that might break some older scripts or apps, which for some reason would not accept new certificate. So proper testing and rollback plan is in order.

cn flag
I think it must have a certificate, otherwise it would not bind to tcp/5986. But that would be the first thing to check. Most internal Windows CA's had only SHA1 for a long time, and it was a non-trivial change to enable SHA256.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.