Specify channel binding token hardening level

Question

What "Specify channel binding token hardening level" Policy does in WinRM Service?

Thanks

Answer 1

Hi,
With this policy, users could set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens, provided with three options:

• Strict: If a channel-binding token is provided by the client, the service SHOULD use that information when authenticating the user, and the service MUST process the request. If a channel-binding token is not provided, the service SHOULD NOT process the request and SHOULD return a failure.
• Relaxed: If a channel-binding token is provided by the client, the service SHOULD use that information when authenticating the user. Whether or not a channel-binding token is provided, the service MUST process the request.
• None: The service SHOULD ignore any channel-binding token provided by the client, and the service MUST process the request.

The value of this element is relevant only when the connection is over HTTPS. When the connection is over HTTP, the service MUST ignore any channel-binding token provided by the client, and the service MUST process the request.

Reference links:
RemoteManagement/SpecifyChannelBindingTokenHardeningLevel
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#remotemanagement-specifychannelbindingtokenhardeninglevel
2.2.4.34 ServiceAuthType
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsmv/e4e963f4-cae9-4821-9efa-65e8f839a30b

----------

Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny

Answer 2

excellent answer. thanks, JennyYan