Event details

Join us for our March 9 “Ask Microsoft Anything” chat about Windows Server updates and upgrades. We’ll cover your questions on how to stay more secure by upgrading older servers (2008 and 2012 versio...
EricStarker
Updated Mar 09, 2023
windows server
MattTheSysAdmin's avatar
MattTheSysAdmin
Brass Contributor
Mar 09, 2023

Help me with my understanding of Kerberos and its interaction with Server 2003 please (I know, they should be long dead already, but business needs yada yada yada)

We have Server 2003's that after the November patches decided to not get Kerberos tickets anymore. Well, they can pull them but they all show as (Unknown 18), meaning they are encrypted in AES256, hence they can't read them. That is except for odd exceptions where they CAN pull HOST tokens only using RC4.

We've opened tickets, but the Microsoft Support line is 'We don't support 2003', which I completely understand, but sadly I don't have the ability to just drop them.

 

Question:
Can we make the Servers stop using Kerberos for anything, and make them fall back to NTLM, instead of pulling these AES Kerberos tickets they can't use?

Or any other idea I haven't thought of? We've tried all documented workarounds, but they just don't work on 2003....

Keith_Hoffman's avatar
Keith_Hoffman
Former Employee
Mar 09, 2023
Our recommendations in this case would be to: 1. Upgrade your legacy Server 2003 systems to a supported OS that is still getting security updates 2. Air gap any legacy systems you cannot immediately upgrade 3. Place any legacy systems you cannot immediately upgrade into their own domain structure The hardening included in the November update is there to help our customers be more secure as we know RC4 and DES are easily compromised. So along the lines of keeping things as secure/safe as possible, we would not recommend doing *anything* to try to work around the hardening.
  • MattTheSysAdmin's avatar
    MattTheSysAdmin
    Brass Contributor
    Mar 09, 2023
    Thanks Keith. That's what we're recommending, but we're turning over all stones to try and get our domain controllers immediately patched beyond November to try and avoid even more security holes... Heaven forbid there's a zero day in the near future....