Hi everyone, Jerry Devore here again with another installment in my series on Active Directory hardening. This time I want to revisit a topic I previously wrote about in September of 2020 which is enforcing AES for Kerberos. Since I wrote that blog post a few new tips have come my way. Before we dive in here is a quick re-cap of what was previously discussed:
Discovering RC4 dependent devices
Identifying devices limited to RC4 is a critical step but has historically been a tricky problem to solve. However, a recently discovered "feature" in 4768 events can help you identity such devices. Previously I suggested analyzing the Ticket Encryption Type field in 4769 events (service ticket requests). At the time I was not focused on the 4768 events since a KDC will encrypt all TGTs with AES if the KRBTGT account has a key for AES. So, what is this new discovery? Drumroll please…. The Ticket Encryption Type field in 4768 events reflects the session key issued with the TGT. Why does that matter? The session key encryption selection for a TGT is dependent on what was negotiated by the device during the AS-REQ (authentication request). As a result, 4768 events can be used to identify devices that only support RC4.
To demonstrate this behavior I configured a device in my lab to only support RC4 (Network security: Configure encryption types allowed for Kerberos). As you can see from this screenshot the session key for both the primary and delegation TGT was protected with RC4 while the TGT itself was encrypted with AES.
The 4768 event logged on the domain controller reflects the use of RC4 in the Ticket Encryption Type field even though RC4 was only used for the session key. That information can be more useful than reporting the actual ticket encryption since all TGTs will be AES if the KDC supports it.
In the last few years, I have worked with many large organizations as they embarked on a journey to rid their environment of RC4. So far, I have found four types of devices that you might see defaulting to using RC4 in the AS-REQ. They are:
Once you have identified and remediated any device defaulting to RC4 you can ramp up your efforts to enable AES on your SPN enabled service accounts. I still would not update all accounts at the same time but by all means don't be overly timid. The risk of not taking action this area is greater than the risk of hardening your environment.
To be clear, using 4768 events to detect RC4 devices depends on the devices requesting a TGT. If you have an application that uses a keytab to decrypt and read tickets but does not use the account to authenticate to Active Directory, there will be no 4768 events logged for the account. I believe that scenario is rare, but it is worth pointing out that leveraging 4768 events might not catch every last device dependent on RC4.
Even better auditing is being planned
While using 4768 events to find RC4 dependent devices can be extremely useful, more verbose logging of Kerberos tickets is being planned by the product group. What the extra logging will capture, when it will be released and how far back it will be ported is still to be determined. In the meantime, keep moving forward using the auditing currently available.
November 2022 Changes to Kerberos
In 2022 some needed changes were made which caused the KDC to start defaulting to AES session keys. Selection of encryption type for service tickets (TGS) did not change as part of that update, so it is still vitally import to define a value on msDS-SupportedEncryptionTypes for your SPN enabled service accounts. More information on those changes can be found here:
Something that is not discussed in those articles is the change to cross domain referral tickets. Previously it was necessary to enable AES in the trust settings. Otherwise RC4 was used for the referral tickets. That is no longer necessary given referral tickets will now default to AES. To better illustrate here are a few screenshots from my lab. Joe User resides in the contoso.local domain. When the account attempted to access a resource in the trusted fabrikam.local domain, the referral ticket was issued with AES even though the trust (Trust Domain Object) had no setting for msDS-SupportedEncryptionTypes. If your RC4 remediation project includes a task for enabling AES on your trusts, you can mark that task complete.
If you have been following my series, you know I always conclude with a list of Do's and Don't to make sure things go as planned. To avoid disappointing anyone, here is the list.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.