WinRM HSTS

Raymond Brooks 106 Reputation points
2020-09-28T17:23:37.507+00:00

Hi everyone, i'm doing some security scans for PCI and i keep getting flagged for HSTs on Winrm, i know how to fix it for IIS but i have no clue where to begin for winrm, didnt even know HSTS on winrm was a thing. Does anyone have any advice on this? or even a way for me to justify for audicting purposes that patching it isnt required becauase its internal with an internal cert,

any help would be greatly appreciated :) thank it advance!

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,425 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
424 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,775 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jenny Yan-MSFT 9,326 Reputation points
    2020-09-29T02:50:17.223+00:00

    Hi,
    Per searching, there is no exact HSTS in WinRM related information but only configuring WinRM for Https to encrypt the data being sent across the wire.

    Not sure if this is kind of clues but would like to post some searching results here:

    1. HSTS is the great little response header that tells a browser to always use SSL/TLS to communicate with your site. It doesn't matter if the user, or a link they are clicking, specifies HTTP, HSTS will remove the ability for a compatible browser to use HTTP and will enforce the use of HTTPS.
      https://scotthelme.co.uk/hsts-preloading/
    2. The WinRM protocol considers the channel to be encrypted if using TLS over HTTP (HTTPS) or using message level encryption. Using WinRM with TLS is the recommended option as it works with all authentication options, but requires a certificate to be created and used on the WinRM listener.
      https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/user_guide/windows_winrm.rst#winrm-encryption
    3. By default WinRM uses Kerberos for authentication so Windows never sends the password to the system requesting validation.
      https://video2.skills-academy.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny