Home
Join
check
  • For User accounts I think there are tick boxes you can use in the Account tab in the Options list.

    For Computer objects you I think can control this via the msDS-SupportedEncryptionTypes attribute which depending on the value will enable/disable different encryption options, if you read the blog post here it describes what values you can use:

    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

    1 found this helpful thumb_up thumb_down
  • View Best Answer in replies below

    6 Replies

    • For User accounts I think there are tick boxes you can use in the Account tab in the Options list.

      For Computer objects you I think can control this via the msDS-SupportedEncryptionTypes attribute which depending on the value will enable/disable different encryption options, if you read the blog post here it describes what values you can use:

      https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

      1 found this helpful thumb_up thumb_down
    • Best way to do this for all computers would probably be GPO.
      Get a list of the detected suites, and then deploy a script to run the following powershell cmdlet for each detection.

      Disable-TlsCipherSuite -Name <name of the unwanted suite>

      Or patch the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 with the approved list from a reference computer

      If you don't mind going to all computers, the PowerShell cmdlet can be used manually, or you can use the Nartac IISCrypto utility

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • RafaelRocha wrote:

      Best way to do this for all computers would probably be GPO.
      Get a list of the detected suites, and then deploy a script to run the following powershell cmdlet for each detection.

      Disable-TlsCipherSuite -Name <name of the unwanted suite>

      Or patch the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 with the approved list from a reference computer

      If you don't mind going to all computers, the PowerShell cmdlet can be used manually, or you can use the Nartac IISCrypto utility

      In this case, these are not Windows machines

      Was this post helpful? thumb_up thumb_down
    • Hello,

      First of all, what kind of OS is running on your client computers ? They need to be at least on Win 7 to fully support stronger Kerberos protocols.

      To change Kerberos encryption types, you can take a look at "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Configure encryption types allowed for Kerberos" in your GPO.

      If you want to disable weak encryption protocols, you should also take a look at this article : https://social.technet.microsoft.com/Forums/windowsserver/en-US/c46ebe8d-f7a8-4545-9ff1-1e19aa19385f... ("Recommended Registry Settings for Disabling Weak Ciphers are not working?")

      Was this post helpful? thumb_up thumb_down
    • Nick-C wrote:

      For User accounts I think there are tick boxes you can use in the Account tab in the Options list.

      For Computer objects you I think can control this via the msDS-SupportedEncryptionTypes attribute which depending on the value will enable/disable different encryption options, if you read the blog post here it describes what values you can use:

      https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

      Yeah, the user one was easy.  I found the attribute for the computer objects, but didn't find the cheat sheet you linked.  Thanks for that

      Was this post helpful? thumb_up thumb_down
    • If you're looking to deal with Windows machines - the operating system and reconfiguration to get rid of "3DES", I'd go get the Nartac IISCrypto tool to both look at what it currently is and figure out the reconfiguration.      You would be impacting the operating system instance and that likely would mitigate what your "computer objects" will use.  It won't fix an application that is older and doesn't have a complete understanding of the world you change the configuration to.
      Your mitigation could be as simple as press Best Practices and then remove the ciphers with *3DES* in the middle of their name.
      Note also if you are using Group Policy, the string created of the enabled ciphers is limited to 1023 characters.     You may have to short up the list to get the concatenated results short enough to come through.   
      In the Linux World, when I need to reconfigure ciphers and protocols, I go the Mozilla SSL Configuration tool to get a new set up for what I run for my web server and openssl.    https://ssl-config.mozilla.org.      Plugin the details about things and then choose whether you want Modern, Intermediate or old
      support.
      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down

    Read these next...