Disable Rc4Hmac Kerberos

Set all Users to use Kerboros AES128\256

# The numerical values for Kerberos AES encryption types to support
$AES128 = 0x8
$AES256 = 0x10

# Fetch all users from an OU with their current support encryption types attribute
$Users = Get-ADUser -Filter * -SearchBase "OU=SecureUsers,OU=Users,DC=domain,DC=tld" -Properties "msDS-SupportedEncryptionTypes"
foreach($User in $Users)
{
    # If none are currently supported, enable AES256
    $encTypes = $User."msDS-SupportedEncryptionType"
    if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
    {
        Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
    }
}
  1. Open the Group Policy Management (gpmc.msc) and navigate to Group Policy Objects
  2. The following changes should be made in a Group Policy that is applied to all computer objects in the domain. 
  3. Open the desired group policy object by right-clicking on it and clicking on Edit
  4. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  5. Open the policy Network security: Configure encryption types allowed for Kerberos
  6. Deactivate the following entries and confirm with a click on OK:
    1. DES_CBC_CRC
    2. DES_CBC_MD5
    3. RC4_HMAC_MD5

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely