Relating to the ARO "Weak Encryption Type Detected" Kerberos-related Domain Controllers using weak ciphers such as RC4 and DES can leave your network vulnerable to a Kerberos Credential Theft attack called "Kerberoasting"
This is where the Kerberos Ticket-Granting Service (TGS) provides a weakly encrypted hash of an account's password which is vulnerable to brute force cracking, or a threat actor attempts to use a stolen or forged ticket to gain access.
The general recommendation is to disable DES and RC4 and the ARO provides some resources on how to achieve this:
- Audit Kerberos Service Ticket Operations
- Preventing Kerberos change password that uses RC4 secret keys
- Secure Active Directory + Azure AD SSO and disable RC4-HMAC
The following additional documentation was posted by a Microsoft employee that explains how you can configure which encryption types are allowed for Kerberos: Decrypting the Selection of Supported Kerberos Encryption Types
It shows how you can leverage better encryption for Kerberos and it also explains that "If you enable AES on the KRBTGT account and find your TGTs are still issued with RC4 encryption you may need to manually reset the password of the KRBTGT account."
For leveraging AES (stronger cypher) the article explains that you must manually enable AES. You can do this via this GPO: Network security: Configure encryption types allowed for Kerberos
The article above applies to: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista, however it's likely a similar process for a Windows Server 2012 R2 to achieve same results.
We recommend you always test your new configurations and understand how to undo the changes before applying them.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article