Event details
To 'overcome' our Server 2003 woes, one of our developers has suggested he build some sort of 'Kerberos Proxy', that would essentially receive AES Kerberos tickets and spit out the same ticket encrypted in RC4.
After I'd picked myself up off the floor and finished laughing, I was shocked that management were actually exploring this as a real possibility.
Question:
I need to dissuade them from going anywhere near this path. Would this actually work? Do you know of any security guidance against this kind of proxy (essentially creating a man-in-the-middle attack on yourself?)? Any large sticks I can beat these people with?
any legacy systems you cannot immediately upgrade 3. Place any legacy systems you cannot immediately upgrade into their own domain structure The hardening included in the November update is there to help our customers be more secure as we know RC4 and DES are easily compromised. So along the lines of keeping things as secure/safe as possible, we would not recommend doing *anything* to try to work around the hardening. So while the Kerberos proxy idea is innovative it is not something we would recommend doing. You'd be better off spending those resources trying to upgrade those 2003 boxes.
- Our recommendations in this case would be to: 1. Upgrade your legacy Server 2003 systems to a supported OS that is still getting security updates 2. Air gap any legacy systems you cannot immediately upgrade 3. Place any legacy systems you cannot immediately upgrade into their own domain structure The hardening included in the November update is there to help our customers be more secure as we know RC4 and DES are easily compromised. So along the lines of keeping things as secure/safe as possible, we would not recommend doing *anything* to try to work around the hardening. So while the Kerberos proxy idea is innovative it is not something we would recommend doing. You'd be better off spending those resources trying to upgrade those 2003 boxes.