Scribd
Upload
18 views22 pages

6 2+Removing+RC4

The document outlines steps to enforce AES encryption in the Kerberos Authentication Protocol within Windows environments, including identifying and enabling AES support while keeping RC4 temporarily. It emphasizes the need to identify principals not using AES, reset account passwords, and disable non-AES256 encryption types selectively. Additionally, it provides guidance on using tools like PowerShell and GPO to enable AES support and manage ticket requests effectively.

Uploaded by

idriss
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
18 views22 pages

6 2+Removing+RC4

The document outlines steps to enforce AES encryption in the Kerberos Authentication Protocol within Windows environments, including identifying and enabling AES support while keeping RC4 temporarily. It emphasizes the need to identify principals not using AES, reset account passwords, and disable non-AES256 encryption types selectively. Additionally, it provides guidance on using tools like PowerShell and GPO to enable AES support and manage ticket requests effectively.

Uploaded by

idriss
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

Enforcing AES encryption type

Who is using RC4 encryption?

Enable AES support, keep RC4

Search for non AES256 tickets

Action principals not using AES

Confirm only AES is used, disable RC4

Kerberos Authentication Protocol in Windows


Identify Kerberos principals not using AES

• Identify and exclude Kerberos principals unable to use AES.

• Enable AES128 and AES256, without disabling RC4.

• Service ticket request event ID 4768 for TGT and ID 4769 for
TGS.

• RC4 ticket encryption type: 0x17, AES128: 0x11 and AES256:


0x12.

Kerberos Authentication Protocol in Windows


Enforcing AES encryption type

Who is using RC4 encryption?

Enable AES support, keep RC4

Search for non AES256 tickets

Action principals not using AES

Confirm only AES is used, disable RC4

Kerberos Authentication Protocol in Windows


Enable AES support in trusts, keep RC4

• Enable AES support in domain trusts using KSETUP tool.

• On parent domain DC:

• On child domain DC:

Kerberos Authentication Protocol in Windows


Verify trust eType configuration in ADSIEdit

Kerberos Authentication Protocol in Windows


Enable AES support for computers through GPO

Kerberos Authentication Protocol in Windows


Enable AES support in ADU&C

Kerberos Authentication Protocol in Windows


Enable AES support in ADU&C cont.

Kerberos Authentication Protocol in Windows


Enable AES support in ADU&C cont.

Kerberos Authentication Protocol in Windows


Enable AES support through PowerShell.

• Target a single account, a container, an OU or a domain.

Kerberos Authentication Protocol in Windows


Enforcing AES encryption type

Who is using RC4 encryption?

Enable AES support, keep RC4

Search for non AES256 tickets

Action principals not using AES

Confirm only AES is used, disable RC4

Kerberos Authentication Protocol in Windows


Ticket request encryption type ID

Hunting down DES in order to securely deploy Kerberos


https://docs.microsoft.com/en-us/archive/blogs/askds/hunting-down-des-in-order-to-securely-deploy-kerberos
Kerberos Authentication Protocol in Windows
Ticket request encryption type ID 0x12 and 0x17

Kerberos Authentication Protocol in Windows


Inspecting the cached tickets on hosts

Kerberos Authentication Protocol in Windows


Enforcing AES encryption type

Who is using RC4 encryption?

Enable AES support, keep RC4

Search for non AES256 tickets

Action principals not using AES

Confirm only AES is used, disable RC4

Kerberos Authentication Protocol in Windows


Fix the issues preventing accounts from using AES

• Windows NT, 2000 and 2003 do not support AES.

• Upgrade non-Windows or legacy applications.

• Identify accounts created before AD upgrade to Windows


2008.

• Reset account password twice for affected domain accounts.

• Update Keytab files in use.


Kerberos Authentication Protocol in Windows
Determine when AES support became available

• Check Read-only
Domain Controllers
group created date
value.

Kerberos Authentication Protocol in Windows


Identify affected accounts

• List accounts whose password predates AES support.

Kerberos Authentication Protocol in Windows


Reset KRBTGT account password twice

• You may need to reset KRBTGT account password.

• Reset the password once, wait for TGT validity period to


expire (10 hours by default), then reset it again.

• Resetting KRBTGT password twice rapidly will invalidate all


TGTs in the domain!

PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
https://jorgequestforknowledge.wordpress.com/2018/12/30/PowerShell-Script-To-Reset-The-KrbTgt-Account-Password-Keys-For-Both-RWDCs-And-RO
DCs/
Kerberos Authentication Protocol in Windows
Enforcing AES encryption type

Who is using RC4 encryption?

Enable AES support, keep RC4

Search for non AES256 tickets

Action principals not using AES

Confirm only AES is used, disable RC4

Kerberos Authentication Protocol in Windows


Disable non-AES256 eTypes selectively

• Confirm there are no non-AES256 ticket requests or tickets.

• Disable non-AES256 eTypes selectively and monitor closely.

• Disable non-AES256 for Domain Controllers and KRBTGT.

Kerberos Authentication Protocol in Windows


Final step: disable non-AES256 for DCs and KRBTGT

Kerberos Authentication Protocol in Windows

You might also like