Encryption details for COM+ Packet Privacy

Question

What kind of encryption does COM+ use when "Packet Privacy" is selected as the Authentication Level?

https://learn.microsoft.com/en-us/windows/win32/cossdk/setting-an-authentication-level-for-a-server-application

Packet Privacy. Authenticates credentials and encrypts the packet, including the data and the sender's identity and signature.

I have read the above article but it does not provide details about the type of encryption used. DPAPI? TLS? cipher? etc.

I know this is old tech, but we have some legacy apps still using this communication protocol and we would like to assess if meets the corporate security standards.

Answer 1

In short, it looks like NTLMSSP v1 is used, which is nowadays considered to be insecure.

Wireshark capture of the DCERPC package showing NTLMSSP Verifier - Version Number: 1.

See also https://learn.microsoft.com/en-us/windows/win32/com/ntlmssp

Answer from Microsoft Support:

What encryption algorithm is the default, and if there is any way to specify the default? Kerberos supports multiple encryption/signature algorithms, and the KDC will select the algorithms that will be used by the session depending on the server’s capabilities and the KDC configuration. If you are using Windows domain controllers, the server capabilities are stored in the msDS-SupportedEncryptionTypes LDAP attribute, but allowed encryption types can also be specified via Group Policy. More information is available at https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797. The TLS protocol family implemented by Schannel similarly allows the client and server to negotiate the selected cipher suite used to perform encryption / MAC operations according to their mutual capabilities / configurations. Once again, there are Group Policy settings that the users can use to restrict the allowed cipher suites according to their requirements.

What encryption algorithm does NTLMSSP use? NTLMv1 disabled at this point in time as it is considered to be extremely insecure. Vista and above will refuse to use NTLMv1 for outgoing NTLM authentication by default, but Group Policy configuration is needed if the customer desires to block incoming use of NTLMv1 from devices that claim do not support NTLMv2 . NTLMv2 uses HMAC-MD5 for signing/integrity, but still uses RC4 for encryption/sealing as described in. There are no other alternative algorithms currently available for NTLM, but you can configure Group Policy options to audit / block incoming and outgoing NTLM authentication.

Is there any way to specify the default security/encryption provider outside of programmatic changes? No, there’s no way to specify the default security service provider outside of programmatic changes. If no SSP is specified programmatically, COM will just enumerate the security packages available and will use any of them. So if customer doesn’t want to user NTLM because it’s using RC4 algorithm for encryption, they should specify one programmatically.