0

I'm in the planning/design stages of a project which will incorporate an internal server that communicates with internal clients. A quick summary of how this server will behave is as follows: end-users will make calls/commands to the server and depending on the information received by the server, it will initiate a psexec command back to the client to perform a function. The server does the processing/checks to tell if the command/circumstance is valid and runs a psexec process back to the client.

Is SSL really necessary? I'm under the impression that the latest version of psexec encrypts the data being sent to a computer.

The commands/calls being sent to the server don't include anything confidential.

Everything is internal - will only be needed to work on a LAN.

Is there something I am missing that would support SSL being used all the time? Are there times where its really just not necessary? I understand that more security is better than none, but I feel like there must be moments when it's not necessary? maybe?

schroeder
  • 123,438
  • 55
  • 284
  • 319
pat17
  • 1
  • 1
    Potential duplicates: https://security.stackexchange.com/questions/191257/is-it-really-necessary-to-deploy-interal-ssl-in-private-network-mpls and https://security.stackexchange.com/questions/152019/is-it-acceptable-for-an-internal-hr-site-to-run-over-http and https://security.stackexchange.com/questions/178750/what-is-the-risk-of-using-http-on-an-internal-webserver and https://security.stackexchange.com/questions/227020/is-https-required-for-local-network-server-to-server-communication – schroeder Nov 04 '20 at 08:03
  • 1
    "Required" is the wrong question. You use security controls to manage ***risk***. If there is no risk, there is no need for the control. I think what you want to ask (yourself and then us) is, "what are the risks?" – schroeder Nov 04 '20 at 08:38

0 Answers0