Skip to main content

 none
encryption for EvtOpenSession RRS feed

  • Question

  • For  EvtOpenSession, MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/aa385462(v=vs.85).aspx) says "To connect to the remote computer, the remote computer must enable the "Remote Event Log Management" (RELM for short) Windows Firewall exception". RELM seems to use dynamic RPC ports. Is data going through these ports are encrypted? Thanks for any hint.




    • Edited by Leonjl Thursday, June 11, 2015 9:35 PM
    Thursday, June 11, 2015 9:35 PM

All replies

  • I'm not sure, but I think this should not be encrypted, this API needs user's credentials before connecting to remote machine, the data through this port should be encrypted.

    Best Regards,
    Please remember to mark the replies as answers if they help

    Friday, June 12, 2015 5:03 AM
  • Thanks for help. You said it should not be encrypted then said it should be encrypted later. Which one do you mean?

    According to RPC document (https://technet.microsoft.com/en-us/library/cc738291%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396), RPC has SSPI which "Provides a security interface for RPC. Negotiates the use of Kerberos, NTLM, or Secure Sockets Layer (SSL) for authentication and encryption.

    Per https://technet.microsoft.com/en-us/library/dd566199(v=ws.10).aspx, "In Windows 7 and Windows Server 2008 R2, NTLM-based minimum session security policy is set to require a minimum of 128-bit encryption for both client computers and servers for new installations of Windows. This requires that all network devices and operating systems using NTLM support 128-bit encryption. "

    Sounds like RPC with windows logon does encrypt the communication. But it is good to be confirmed by experts. 

     




    • Edited by Leonjl Friday, June 12, 2015 2:09 PM
    Friday, June 12, 2015 1:03 PM
  • My fellow did a some research and try to catch such RPC data before, he has a conclusion that this API should be encrypted internally

    Best Regards,
    Please remember to mark the replies as answers if they help

    • Proposed as answer by learner jim Tuesday, January 30, 2018 11:05 AM
    Wednesday, July 1, 2015 11:35 AM