Description
Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade.
Under Exposed Identities it shows Protocol Kerberos and Cipher Rc4HMac.
Attempted resolution:
In AD - set "This account supports Kerberos AES 256 bit encryption". (and turned on 128 bit)
It has been several days and the vulnerability is not clearing for any accounts.
I also applied a GPO to all workstations:
Policy Setting
Network security: Configure encryption types allowed for Kerberos | Enabled |
DES_CBC_CRC | Disabled | DES_CBC_MD5 | Disabled | RC4_HMAC_MD5 | Disabled | AES128_HMAC_SHA1 | Enabled | AES256_HMAC_SHA1 | Enabled | Future encryption types | Enabled |
|
Any other suggestions?