0
Decrypting the Selection of Supported Kerberos Encryption Types
In recent months Microsoft support has received a lot of questions regarding disabling RC4 for the encryption of Kerberos tickets. If I had to guess the CIS L1 Baseline and RFC 8429 guidance to disable RC4 is likely responsible for much of that interest. While RC4 has not been formally deprecated in Active Directory, the evolution of an attack known as Kerberoasting provides a compelling reason to upgrade given RC4 encryption uses the weak NTLM hash as the key for encryption. To date tickets encrypted with AES keys are not susceptible to Kerberoasting.
As with many hardening settings, the decision to eliminate RC4 for Kerberos ticket encryption is not entirely cut and dry. Let’s a take a look at the considerations and then you can decide how you want to move forward with improving your security posture in this area.
Weiterlesen...
As with many hardening settings, the decision to eliminate RC4 for Kerberos ticket encryption is not entirely cut and dry. Let’s a take a look at the considerations and then you can decide how you want to move forward with improving your security posture in this area.
Weiterlesen...
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-ID: 602285
Url: https://rootdb.com/en/decrypting-the-selection-of-supported-kerberos-encryption-types-602285.html
Printed on: February 22, 2025 at 23:02 o'clock
