Hi there,
Currently, WinRM communication is set to use port 5985 over HTTP by default in . This means, that all communication after initial authentication (credential exchange over Kerberos in a domain environment) takes place, can be decoded.
This also means, that if using WinRM in a WORKGROUP environment (non-domain systems), NTLM would be used instead of Kerberos during initial authentication and credentials would be sent over the network in clear text.
To remedy this, one could use WinRM HTTPS over port 5986. This would provide secure authentication in both domain and non-domain environments, as well as encrypt all communication. So even if you have credentials included in the data that is being sent (ps, shell scripts etc), then these credentials would be encryptet in the data.
To implement WinRM HTTPS over 5986 today, you would have to manually edit Nodes, either individually or in bluk, to enable WinRM HTTPS and change the port to 5986. While this does solve the problem for existing nodes, it does require manual intervention.
I am therefore suggesting to include an option, to change default WinRM settings so that HTTPS is used on port 5986.
