Hey folks, Ned here again with another guest post. Today we discuss hardening the SMB protocol in Windows against interception attacks, previously referred to as “Man-in-the-Middle” attacks. As you k...
Updated Sep 30, 2021
Version 8.0
Blog Post
I check with klist, which shows service tickets as:
Cache Flags: 0
After enabling GPO "KDC\Always provide claims" on DCs and "Kerberos\Kerberos client support for claims" on the clients, the above looks like:
Cache Flags: 0x40 -> FAST
I then enabled Windows Defender Guard using DGReadiness.ps1 -Enable, reboot, and then klist show like this again:
Cache Flags: 0
I must confess I also enabled LSA Protection prior to DGReadiness in one go. I cannot find any docs on whether that's an extra layer of protection when DG does something similar but better to LSASS, or whether the two would bite each other (although I'm running both without problems thus far)...
I assumed FAST to be broken by DG but it seems to be something else, as I now have a server with LSA Prot/DG enabled and FAST is working.
I appologize for the confusion, been testing in 2 different environments same time. It works in one, it doesn't in the other. So something else is breaking FAST. Good to know though that it shouldn't break it ! Is there some documentation somewhere on troubleshooting FAST that you know of ?