Home

Securing (SSL) WINRM connection to remote servers

%3CLINGO-SUB%20id%3D%22lingo-sub-142022%22%20slang%3D%22en-US%22%3ESecuring%20(SSL)%20WINRM%20connection%20to%20remote%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142022%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHonolulu%20uses%20WinRM%20via%20TCP%2F5985%20to%20connect%20to%20remote%20servers.%20Only%20to%20my%20knowledge%20WinRM%20via%20TCP%2F5985%20by%20default%20is%20not%20encrypted.%20How%20can%20we%20use%20Project%20Honolulu%20with%20WinRM%20via%20HTTPS%20(TCP%2F5986)%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-208094%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20(SSL)%20WINRM%20connection%20to%20remote%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-208094%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20tracking%20this%20request%20here%2C%20please%20add%20your%20vote%3A%20%3CA%20href%3D%22https%3A%2F%2Fwindowsserver.uservoice.com%2Fforums%2F295071-management-tools%2Fsuggestions%2F34562473-use-winrm-over-ssl-port-5986-to-connect-to-remote%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwindowsserver.uservoice.com%2Fforums%2F295071-management-tools%2Fsuggestions%2F34562473-use-winrm-over-ssl-port-5986-to-connect-to-remote%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204770%22%20slang%3D%22en-US%22%3ERe%3A%20Securing%20(SSL)%20WINRM%20connection%20to%20remote%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204770%22%20slang%3D%22en-US%22%3E%3CP%3EActually%2C%20WinRM%20over%20HTTP%20is%20encrypted%20if%20you%20don't%20use%20Basic%20or%20Digest%20authentication.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffoxdeploy.com%2F2017%2F02%2F08%2Fis-winrm-secure-or-do-i-need-https%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffoxdeploy.com%2F2017%2F02%2F08%2Fis-winrm-secure-or-do-i-need-https%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20communication%20is%20still%20encrypted%2C%20but%20you%20can't%20verify%20server%20identity.%20A%20hacker%20can%20steal%20NTLM%20hash%20and%20crack%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverything%20is%20good%20if%20your%20machines%20are%20in%20domain.%20Kerberos%20is%20used%20in%20this%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186640%22%20slang%3D%22en-US%22%3ERE%3A%20Securing%20(SSL)%20WINRM%20connection%20to%20remote%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186640%22%20slang%3D%22en-US%22%3EStupidest%20limitation%20ever!%20In%20our%20Enterprise%20we%20only%20use%20WinRM%20HTTPS%20TCP%2F5986%20as%20you%20should%20be%20doing%20for%20Infrastructure%20mgmt....%20I%20was%20really%20looking%20forward%20to%20using%20this%2C%20but%20it's%20so%20slow%20between%20clicks%20%26amp%3B%20this%20is%20definately%20a%20showstopper.%201st%20I%20had%20to%20allow%20it%20to%20talk%20to%20the%20internet%20due%20to%20signature%20verification%201x%20even%20though%20it's%20touted%20as%20being%20offline%20ready%20%26amp%3B%20now%20this...%3C%2FLINGO-BODY%3E
Ronald K.
New Contributor

Honolulu uses WinRM via TCP/5985 to connect to remote servers. Only to my knowledge WinRM via TCP/5985 by default is not encrypted. How can we use Project Honolulu with WinRM via HTTPS (TCP/5986)?

3 Replies
Highlighted
Stupidest limitation ever! In our Enterprise we only use WinRM HTTPS TCP/5986 as you should be doing for Infrastructure mgmt.... I was really looking forward to using this, but it's so slow between clicks & this is definately a showstopper. 1st I had to allow it to talk to the internet due to signature verification 1x even though it's touted as being offline ready & now this...
Highlighted

Actually, WinRM over HTTP is encrypted if you don't use Basic or Digest authentication.

https://foxdeploy.com/2017/02/08/is-winrm-secure-or-do-i-need-https/

 

The communication is still encrypted, but you can't verify server identity. A hacker can steal NTLM hash and crack it.

 

Everything is good if your machines are in domain. Kerberos is used in this case.

Highlighted