Security concerns with CredSSP?

by oogabooga at 2012-12-19 10:47:17

Are there any known security issues with using CredSSP with Remoting? If you look at the linked thread below, there is the following caption:

Caution: Credential Security Service Provider (CredSSP) authentication, in which the user’s credentials are passed to a remote computer to be authenticated, is designed for commands that require authentication on more than one resource, such as accessing a remote network share. This mechanism increases the security risk of the remote operation. If the remote computer is compromised, the credentials that are passed to it can be used to control the network session.

http://social.technet.microsoft.com/forums/en-ZA/sharepointgeneralprevious/thread/0f9c099c-858d-419e-94c3-f7e8671aa2a1

Which the guy posting deciphers as "Not recommended for production environments", which one of our engineers deciphers as "Microsoft says no to CredSSP in production. Please use Kerberos."

The only person that I’ve heard speak out about preferring Kerberos instead of CredSSP is Murawski, but it sounded like more of a preference and not a security issue. Do a lot of people out there use it? How much more overhead is it in general? I’m reluctant to change our whole strategy if 90% of people use CredSSP without concern because I’ve always used CredSSP going back to when 2.0 popped and had very few issues. So yeah, any information that I can use to make this guy go away would be welcome, or if there are reasons I need to stop using it those are welcome also.

Thoughts?
by DonJ at 2012-12-20 06:42:49
Well, that’s just stupid.

The security risk with CredSSP is that you’re delegating your credential to a computer, and allowing that computer to delegate it further. It isn’t that the protocol itself isn’t secure - it was just introduced in Vista, for pity’s sake, it’s not like it’s old.

And you mitigate that risk by being very careful which computers you allow to re-delegate your credentials. That’s why Enable-WsManCredSSP has a -DelegateComputer switch, and it’s why you don’t use a wildcard there (I discuss this in "Secrets of PowerShell Remoting," which is at PowerShellBooks.com if you’ve not run across it). You can also control the delegate list centrally in a GPO. So long as you’re only allowing re-delegation by trusted (e.g., belongs to the domain) computers, CredSSP is perfectly safe. It’s how you use it that offers a potential security risk.
by oogabooga at 2012-12-21 12:21:56
Thanks Don. I appreciate the prompt reply.

Enjoy your holidays.
by DonJ at 2012-12-21 12:30:05
No problem. You as well!
by cookie.monster at 2013-01-13 18:05:10
We use it on a few select endpoints for PowerShell Web Access. These endpoints are either servers or well-secured workstations (i.e. specific administrative workstations where e-mail and browsing is not performed).

As mentioned above, the risk is not that the protocol itself is insecure, the risk is that if you allow credential delegation on a computer and that computer is compromised, your credentials could be used for nefarious purposes.

I suspect your co-worker is looking to avoid political issues or the minimal work behind enabling CredSSP on a specified endpoint. Or they didn’t do their homework.