J
Jerry G. Young II
All,
I apologize if this is an extremely easy question but I was wondering what
people do to secure communications between a client and a server for remote
scripting when security is a concern.
By default (based on sniffing packets), it appears that account names are
passed in clear text while passwords are passed using NTLM. This is against
Windows 2000 and Windows 2003 servers from 2000/XP clients.
These results were gathered while using command line-based utilities only.
In particular, since the servers I need to run command line-based utilities
against are not part of any domain, I have to use the 'runas' command with
the '/netonly' switch to pass remote server credentials to the utility I
wish to use against the remote server. In my particular tests, I was using
the 'uptime' utility from the Windows 2000 Resource Kit.
Now, I know that servers can be set up to restrict communication to secure
channels. This isn't what I want to do because I'd have to visit thousands
of servers to make these changes. My understanding, though, is that Windows
2000 and Windows 2003 will default to the first requested form of
communication from a client. In this case, apparently NTLM. My question
is, is it possible to force the client (through a one-off command at the
command line or other script) to request a more secure channel with a remote
server?
For example, with WMI scripts, by setting the SWbemSecurity object to use an
authentication level of WbemAuthenticationLevelPktPrivacy, you're supposed
to be able to athenticate all previous impersonation levels and encrypt the
argument value of each remote procedure call. I'd like to do essentially
the same from the command line since the username and password should be an
argument value for the RPC made by the utility used.
If someone could help me out here, I'd greatly appreciate it.
Cordially yours,
Jerry G. Young II
I apologize if this is an extremely easy question but I was wondering what
people do to secure communications between a client and a server for remote
scripting when security is a concern.
By default (based on sniffing packets), it appears that account names are
passed in clear text while passwords are passed using NTLM. This is against
Windows 2000 and Windows 2003 servers from 2000/XP clients.
These results were gathered while using command line-based utilities only.
In particular, since the servers I need to run command line-based utilities
against are not part of any domain, I have to use the 'runas' command with
the '/netonly' switch to pass remote server credentials to the utility I
wish to use against the remote server. In my particular tests, I was using
the 'uptime' utility from the Windows 2000 Resource Kit.
Now, I know that servers can be set up to restrict communication to secure
channels. This isn't what I want to do because I'd have to visit thousands
of servers to make these changes. My understanding, though, is that Windows
2000 and Windows 2003 will default to the first requested form of
communication from a client. In this case, apparently NTLM. My question
is, is it possible to force the client (through a one-off command at the
command line or other script) to request a more secure channel with a remote
server?
For example, with WMI scripts, by setting the SWbemSecurity object to use an
authentication level of WbemAuthenticationLevelPktPrivacy, you're supposed
to be able to athenticate all previous impersonation levels and encrypt the
argument value of each remote procedure call. I'd like to do essentially
the same from the command line since the username and password should be an
argument value for the RPC made by the utility used.
If someone could help me out here, I'd greatly appreciate it.
Cordially yours,
Jerry G. Young II