Forum Discussion
Windows Event Forwarding Transport Encryption with Kerberos?
Hello out there,
I would like to use Windows Event Forwarding, but I have a requirement that the traffic between Windows Event Collector and the endpoints should be encrypted.
On Microsoft web pages I find contradictory statements about this, whether transport encryption exists for this.
On one side they say that the connection is encrypted by Kerberos (probably by WinRM) (https://learn.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#are-wef-events-encrypted-i-see-an-httphttps-option) and on the other side it is better to use IPSec or certificates to secure the transport of the log data.
Kerberos I had always understood as an authentication protocol and not as a transport encryption protocol (at least not primarily).
My question: Does Kerberos encrypt the log data between the Windows Event Collector and the endpoints or only the authentication information of Kerberos?
1 Reply
- My guess: WEF uses WinRM > WinRM uses Kerberos in the domain > Kerberos uses Message-Level Encryption based on the encryption types defined by GPO or Regkey
