Kerberos hardening
Posted by cgklowd@reddit | sysadmin | View on Reddit | 15 comments
I've been following along with the Kerberos hardening publications from Microsoft for some time.
A while back I kicked on some rc4 auditing and early on addressed my accounts with SPNs and very old service accounts. That reduced the noise quite a bit. I haven't seen rc4 activity in some time.
Fast forward to last few months and the latest guidance was to turn on auditing from the new reg key that gets enabled after patching dcs in 2026, most dcs are very current, all current enough to support the audit/disable key settings.
The RC4DefaultDisablementPhase value has been set to 1 on all dcs for over a month and no events have been logged. Here I'm thinking I'm in good shape.
On a given dc I am running get-kerbencryptionusage.ps1 -encryption RC4
And get unexpected results.
A Linux appliance of mine is the only thing generating events this script detects.
Fields are as follows:
MachineName (my dc)
Time (timestamp)
Requestor (IP address of appliance)
Source (appliancename$@domain)
Target (krbtgt)
Type (TGS)
Ticket (AES256-SHA96)
SessionKey (RC4)
Interesting I thought... Ok well I'll upgrade the reg key to 2 (disable) but I still see these events and the appliance still seems fine.
I expected the appliance to break and see some audit entries (201-209) if I needed to worry but the appliance is working and there are no audit events (201-209)...
I opened a ticket with he vendor when I first saw this and expected after enforcing rc4 disablement things to break and show them but here we are...
ChangeWindowZombie@reddit
I don't remember what the Microsoft ps1 returns for output, so I would open event view and find one of the 4768 events for the account(s) in question. That will show you the account's MSDS-SupportedEncryptionType. Unless the account only supports RC4, nothing should break when RC4 is disabled.
If the account only supports RC4, it's possible there account is authenticating with another DC where you have not disabled RC4.
HumbleSpend8716@reddit
Bro what the fuck is get-kerbencryptionkeyusage.ps1? I appreciate that it may be a widespread script written by some msft dude but no one in here knows what it is unless they do already, not a thing on systems by default in a known place, please dont ask questions about stuff w all the details
XInsomniacX06@reddit
Did you even read the guidance? Please don’t comment unless your familiar with the content otherwise your just loud and wrong and sound like a condescending know it all. Your personal opinion is not helpful or educational. OP also I wouldn’t expect the sysadmin thread to comment here they don’t typically touch it, it’s more for Directory Services. try the ActiveDirectory Reddit.
HumbleSpend8716@reddit
plenty involved in rc4 at our org actually. should fucking paste links for scripts if they arent somewhere known. if they are somewhere known, share the path. why limit knowledge. dumb
zero0n3@reddit
Involved with RC4, but not aware of the year+ push MS has been doing to harden Kerberos ?
Doubt.
clexecute@reddit
Yo what? On what planet do you live on where sys admins aren't intertwined with AD?
WendoNZ@reddit
Hard disagree, I'd say more than 80% of the people here deal with AD daily. I agree the AD subreddit might be better, but I'm almost certain there is a large audience here too
cgklowd@reddit (OP)
Thank you. I saw a bit of RC4 discussion in sysadmin and started here I'll post there as well.
XInsomniacX06@reddit
Search the Reddit first it may have already been addressed/discussed, great resources there.
cgklowd@reddit (OP)
The script is linked from the official hardening guide here: https://learn.microsoft.com/en-us/windows-server/security/Kerberos/detect-remediate-rc4-kerberos
HumbleSpend8716@reddit
excellent ty
cgklowd@reddit (OP)
The script pulls events from the security event log id 4768 and 4769 if they show rc4 usage.
The fields I gave is an event that I see over and over again. The script source, less important. The event it pulled is a repetitive 4769
hybrid0404@reddit
I'm a little confused by your post, are you curious as to why it nothing broke?
cgklowd@reddit (OP)
Good question I may need to re-edit my original post.
I'm curious why nothing broke and if RC4 on session keys only is problematic going forward.
I was of the assumption disabling rc4 on that DC with that reg key would have broken something or generated different events highlighting action on my part.
hybrid0404@reddit
The 201-209 event IDs are typically an indicator of why something might break or is breaking, depending on the enforcement phase.
The Get-KerbEncryptionUsage.ps1 just helps you identify RC4 tickets that are present, it doesn't necessarily mean there will be a problem when RC4 goes away.
There are several reasons why things will break and those scripts are just about creating visibility. You lucked out in that your Linux appliance was probably just negotiating RC4 because Microsoft Kerberos kinda sucks and chooses the crap protocol when it can.
If you really care that much, it might help to see the actually 4768/4769 events themselves vs. looking at the parsed output from the script. Additionally, the other script from the same post you listed as well could shed some light. The linux appliance is probably configured to support RC4 and AES so it flipped to AES.