Advanced folder encryption file type2/14/2023 If you were supporting Active Directory in 2009, you most likely did not even notice DES had been disabled by your newly upgraded domain controllers because Active Directory is designed to select the highest level of encryption that is supported by the client and target of a Kerberos ticket. Even before RFC 6649 was formally published, Microsoft disabled (by default) DES with the release of server 2008 R2 Windows 7. In time computational advancements made it possible to brute force attack DES encrypted tickets in a short amount of time and RFC 6649 called for the retirement of DES. When Active Directory was first introduced, DES and RC4 were all the rage. Let’s a take a look at the considerations and then you can decide how you want to move forward with improving your security posture in this area. To date tickets encrypted with AES keys are not susceptible to Kerberoasting.Īs with many hardening settings, the decision to eliminate RC4 for Kerberos ticket encryption is not entirely cut and dry. While RC4 has not been formally deprecated in Active Directory, the evolution of an attack known as Kerberoasting provides a compelling reason to upgrade given RC4 encryption uses the weak NTLM hash as the key for encryption. If I had to guess the CIS L1 Baseline and RFC 8429 guidance to disable RC4 is likely responsible for much of that interest. In recent months Microsoft support has received a lot of questions regarding disabling RC4 for the encryption of Kerberos tickets.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |