Set all Users to use Kerboros AES128\\256<\/p>\n\n\n\n
# 0x18 = AES128 + AES256 only (decimal 24)\nSet-ADUser iposservice -Replace @{\n \"msDS-SupportedEncryptionTypes\" = 24\n}<\/code><\/pre>\n\n\n\n# The numerical values for Kerberos AES encryption types to support\n$AES128 = 0x8\n$AES256 = 0x10\n\n# Fetch all users from an OU with their current support encryption types attribute\n$Users = Get-ADUser -Filter * -SearchBase \"OU=SecureUsers,OU=Users,DC=domain,DC=tld\" -Properties \"msDS-SupportedEncryptionTypes\"\nforeach($User in $Users)\n{\n # If none are currently supported, enable AES256\n $encTypes = $User.\"msDS-SupportedEncryptionType\"\n if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)\n {\n Set-ADUser $User -Replace @{\"msDS-SupportedEncryptionTypes\"=($encTypes -bor $AES256)}\n }\n}<\/code><\/pre>\n\n\n\n\n- Open the Group Policy Management (gpmc.msc)<\/em> and navigate to Group Policy Objects<\/em><\/li>\n\n\n\n
- The following changes should be made in a Group Policy that is applied to all computer objects in the domain. <\/li>\n\n\n\n
- Open the desired group policy object by right-clicking on it and clicking on Edit<\/em><\/li>\n\n\n\n
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options<\/em><\/li>\n\n\n\n
- Open the policy Network security: Configure encryption types allowed for Kerberos<\/em><\/li>\n\n\n\n
- Deactivate the following entries and confirm with a click on OK<\/em>:\n
\n- DES_CBC_CRC<\/li>\n\n\n\n
- DES_CBC_MD5<\/li>\n\n\n\n
- RC4_HMAC_MD5<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/azuregeek.io\/wp-content\/uploads\/2021\/01\/EcnryptionTypesAllowedForKerberos.png\")
<\/figure>\n<\/div>\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Check Useage Detect and Remediate RC4 Usage in Kerberos | Microsoft Learn Set all Users to use Kerboros AES128\\256<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7391","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=7391"}],"version-history":[{"count":4,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7391\/revisions"}],"predecessor-version":[{"id":9561,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7391\/revisions\/9561"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=7391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=7391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=7391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}