Event details

Join us for our March 9 “Ask Microsoft Anything” chat about Windows Server updates and upgrades. We’ll cover your questions on how to stay more secure by upgrading older servers (2008 and 2012 versio...
EricStarker
Updated Mar 09, 2023
windows server
MattTheSysAdmin's avatar
MattTheSysAdmin
Brass Contributor
Mar 09, 2023

Help me with my understanding of Kerberos and its interaction with Server 2003 please (I know, they should be long dead already, but business needs yada yada yada)

We have Server 2003's that after the November patches decided to not get Kerberos tickets anymore. Well, they can pull them but they all show as (Unknown 18), meaning they are encrypted in AES256, hence they can't read them. That is except for odd exceptions where they CAN pull HOST tokens only using RC4.

We've opened tickets, but the Microsoft Support line is 'We don't support 2003', which I completely understand, but sadly I don't have the ability to just drop them.

 

Question:
Can we make the Servers stop using Kerberos for anything, and make them fall back to NTLM, instead of pulling these AES Kerberos tickets they can't use?

Or any other idea I haven't thought of? We've tried all documented workarounds, but they just don't work on 2003....

  • Keith_Hoffman's avatar
    Keith_Hoffman
    Former Employee
    Mar 09, 2023
    Our recommendations in this case would be to: 1. Upgrade your legacy Server 2003 systems to a supported OS that is still getting security updates 2. Air gap any legacy systems you cannot immediately upgrade 3. Place any legacy systems you cannot immediately upgrade into their own domain structure The hardening included in the November update is there to help our customers be more secure as we know RC4 and DES are easily compromised. So along the lines of keeping things as secure/safe as possible, we would not recommend doing *anything* to try to work around the hardening.
    • MattTheSysAdmin's avatar
      MattTheSysAdmin
      Brass Contributor
      Mar 09, 2023
      Thanks Keith. That's what we're recommending, but we're turning over all stones to try and get our domain controllers immediately patched beyond November to try and avoid even more security holes... Heaven forbid there's a zero day in the near future....
  • CharlieFraser's avatar
    CharlieFraser
    Copper Contributor
    Mar 09, 2023
    We fixed our that issue by turning them off the 2003 server just recently.
    • MattTheSysAdmin's avatar
      MattTheSysAdmin
      Brass Contributor
      Mar 09, 2023
      Yeah, its nice to give them this kick to actually reinforce what we've been saying! Sad it took these incidents to make them actually act, but that's people for you. Sadly we've got >200 of these damn servers clogging up my infrastructure so turning them off is a bigger project. Looking for workarounds for now so we can patch our DC's