Microsoft
MicrosoftHi JerryDevore - can you clarify exactly what's needed to fully disable RC4 being used in Kerberos domain-wide? Our goal is to prevent RC4 from being used in the domain even by a bad actor who asks for it, to try to mitigate attacks like Kerberoasting, and this: https://learn.microsoft.com/en-us/windows-server/security/kerberos/preventing-kerberos-change-password-that-uses-rc4-secret-keys
Your guidance above says that's done by setting HKLM\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes on the DCs to a value that doesn't include RC4, but my understanding is that that reg key only sets the default encryption types used when an AD account doesn't specify one via its msDS-SupportedEncryptionType attribute. But setting that won't stop RC4 encryption being used if an AD account explicitly claims to support it (eg says "I only support RC4"), right?
If so, how do we actually stop the DCs from using RC4 for encryption even if a client requests it? Do we need to use the "Network security: Configure encryption types allowed for Kerberos" Group Policy setting (which seems to map to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes) scoped to the DCs themselves, to set the only supported encryption types to say 0x38 (AES128, AES256, AES256-SK)?
