Join Log in
Score:0
Roman avatar Server

Is WinRM/PSSessions using TrustedHosts less secure than DCOM (or whatever classic Windows remote access is)?

us flag
Roman

I have forever been accessing remote machines with things like file shares (\\serverName\share) and using Powershell commands that use a -ComputerName parameter. If I do this for a machine in a remote domain, I have to provide the -Credential argument. And that all works fine. I think that's called DCOM. I can also access WMI like that. However, when I try to use enter-pssession to the remote machine, it does not work because of some kerberos thing. Supposedly, the difference is that kerberos provides mutual authentication of the machines. But, if I am accessing a machine in a remote domain, it is not using kerberos anyway for the DCOM style transactions. So, if I make the pssession work by putting the remote machine into my Winrm TrustedHosts (and naming it with the IP address) instead up setting up a certificate infrastructure (and thus not having any machine authentication) is that really any worse than the DCOM commands I've been running forever? --I've seen people write things like, "only use this on test machines, not a production environment" because the connection is not encrypted. But, the transaction of credentials is supposedly still encrypted. If it is ok to use -ComputerName and -Credential with other commands, what's the difference?

131
1 + 0
Score:0
avatar Server
cn flag
Greg Askew

Yes it is less secure.

NTLM (which is the authentication protocol used) is technically less secure. You are presenting your credentials to a host. And NTLM does not offer authentication of the host to the client. It's straightforward for an attacker to impersonate that host at that IP address.

In a Kerberos environment you do not present your credentials to the host, you present credentials to a separate authentication server, it provides a token, and that token is then presented for authentication. The credentials are presented in fewer hosts that are more secure than a typical server.

If Basic Authentication is enabled and used instead of Negotiate/NTLM, those credentials are sent over the wire unencrypted, which is obviously bad. However after authentication, the session is encrypted at the message level regardless of the HTTP/HTTPS transport scheme. Basic+HTTP and Digest authentication methods should never be enabled/used.

Most organizations don't do this due to it wouldn't pass an audit. In workgroup scenarios, certificates are nearly always used.

https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.3

https://devblogs.microsoft.com/powershell/compromising-yourself-with-winrms-allowunencrypted-true/

https://adamtheautomator.com/psremoting/

+ 7
Roman avatar
us flag
Roman
But this is my point. When I am using "classic" (as opposed to WinRM) commands from one machine to a machine in another domain, I am also going to be using NTLM and not kerberos. So, the question was whether that was somehow more secure than WinRM with http. So, as far as I can tell, there is no Kerberos either way. So, why are there warnings about one thing and not the other when neither is using Kerberos?
0
Reply
cn flag
Greg Askew
@Roman: WinRM uses NTLM just like native commands do. That is less secure than Kerberos due to the numerous reasons stated. WinRM with HTTP is even worse, it sends credentials unencrypted over the wire and to the target host.
0
Reply
Roman avatar
us flag
Roman
According to your second link and https://www.foxdeploy.com/blog/is-winrm-secure-or-do-i-need-https.html, it only sends credentials unencrypted if you use Basic and set AllowUnencrypted. I won't do that. So, I have not heard anything that shows classic DCOM/native commands to be *more secure* than WinRM over HTTP (my question). The only flaw in WinRM over HTTP I see is that the server's identity is not authenticated. But, I think that is also true of classic DCOM. Am I missing something or are they the same?
0
Reply
cn flag
Greg Askew
@Roman: It isn't possible to use HTTP authentication without sending credentials unencrypted. So it must be using NTLM, which is less secure due to it is presenting credentials/hashes to the host, and the server identity is not validated. Not a WinRM best practice. As a compensating control, those types of accounts on the target can be limited to those specific hosts/reduced target surface.
0
Reply
Roman avatar
us flag
Roman
You yourself just said that WinRM uses NTLM in this scenario and thus credentials are encrypted. I just confirmed that with a packet capture. I found the user name in clear text in one place, but not the password and the application session was also encrypted--the question and result.
0
Reply
cn flag
Greg Askew
@Roman: If you are looking for confirmation that what you are doing isn't less secure than the way 99% of most organizations use this (Kerberos or HTTPS) you're probably going to come up short. You may want to try the InformationSecurity StackExchange, although I suspect they will have the same observations. https://security.stackexchange.com/
0
Reply
Roman avatar
us flag
Roman
I am not and I keep trying to say that I am not comparing Kerberos to NTLM, but it seems like you just won't hear that. I know Kerberos is better and will use it whenever possible.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.