What is it? Well, it appears that it is a way to manage Windows systems over HTTP or HTTPS. This just sounds like a bad idea to me! I haven't looked much into this yet, so I cannot say it is definitely a bad idea just yet. So it seems I can get system information remotely to include disk information, process information, start or stop services or make system changes remotely.
So, why would this be a bad idea? Well first of all it supports HTTPS which is a secure web protocol. That's a good thing right? Doesn't that take away some of the problem? NO! Now an attacker has secure communications to your workstations! This is going to bypass your network security defenses, unless of course you are using some sort of SSL man in the middle which allows you to see into encrypted sessions. Since most are not doing that, this is a serious risk.
Think of it this way. In my last post I was discussing how I was attempting to bypass application whitelisting by attempting to provide a valid signature which would be trusted on such a system. Why would I do that now if I can use WinRM which is probably not only signed my Microsoft, but it's a Microsoft built in tool (on Vista and above). Of course this tool is going to be trusted. Now it's even easier to control your system without using these evading techniques.
Expect to see more from me on this. I'm going to continue to test it out and see how far one can actually go with this technology.
skip to main |
skip to sidebar
My rational point at the intersection of multiple dimensions in the field of IT security
Blog Archive
About Me
- Curt Shaffer
- GIAC Certified Penetration tester and General IT Security Enthusiast
No comments:
Post a Comment