cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender report - Stop weak cipher usage report

LiorFrumat
Copper Contributor

‎Nov 17 2021 02:10 AM

‎Nov 17 2021 02:10 AM

Microsoft Defender report - Stop weak cipher usage report

Spoiler
Spoiler

Hi,

This report "Stop weak cipher usage"
Based on which EventID he brings the data?

1,707 Views
0 Likes
2 Replies
Reply
2 Replies
marka01

‎Nov 18 2021 01:24 AM - edited ‎Nov 18 2021 01:25 AM

‎Nov 18 2021 01:24 AM - edited ‎Nov 18 2021 01:25 AM

Re: Microsoft Defender report - Stop weak cipher usage report

What do you see in weak cipher report details? If this is related to weak encryption (RC4, DES) that AD accounts are using then you would need to look for events related to kerberos protocol (4766-4768).

A fix for that is by going to AD account -> Properties -> Account -> Account options and tick 2 boxes "This account supports Kerberos AES 128/256 bit encryption". This would default account to use AES encryption rather than RC4. 

0 Likes
Reply
marka01

‎Nov 18 2021 09:11 AM - edited ‎Nov 18 2021 09:12 AM

‎Nov 18 2021 09:11 AM - edited ‎Nov 18 2021 09:12 AM

Re: Microsoft Defender report - Stop weak cipher usage report

What does it say in the usage report? If it is related to accounts using weak encryption protocol, you should look for kerberos authentication event id. I had similar on MCAS where users reported using RC4 encryption. There is a setting under ADUC account properties to set to use 128/256 AES encryption. Then it defaults to using AES over RC4.

0 Likes
Reply