{"id":7391,"date":"2024-10-05T07:11:31","date_gmt":"2024-10-05T07:11:31","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7391"},"modified":"2026-04-14T03:17:42","modified_gmt":"2026-04-14T03:17:42","slug":"disable-rc4hmac-kerberos","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/disable-rc4hmac-kerberos","title":{"rendered":"Disable Rc4Hmac Kerberos"},"content":{"rendered":"\n

Check Useage <\/p>\n\n\n\n

Detect and Remediate RC4 Usage in Kerberos | Microsoft Learn<\/a><\/p>\n\n\n\n

Set all Users to use Kerboros AES128\\256<\/p>\n\n\n\n

# 0x18 = AES128 + AES256 only (decimal 24)\nSet-ADUser iposservice -Replace @{\n    \"msDS-SupportedEncryptionTypes\" = 24\n}<\/code><\/pre>\n\n\n\n
# The numerical values for Kerberos AES encryption types to support\n$AES128 = 0x8\n$AES256 = 0x10\n\n# Fetch all users from an OU with their current support encryption types attribute\n$Users = Get-ADUser -Filter * -SearchBase \"OU=SecureUsers,OU=Users,DC=domain,DC=tld\" -Properties \"msDS-SupportedEncryptionTypes\"\nforeach($User in $Users)\n{\n    # If none are currently supported, enable AES256\n    $encTypes = $User.\"msDS-SupportedEncryptionType\"\n    if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)\n    {\n        Set-ADUser $User -Replace @{\"msDS-SupportedEncryptionTypes\"=($encTypes -bor $AES256)}\n    }\n}<\/code><\/pre>\n\n\n\n
    \n
  1. Open the Group Policy Management (gpmc.msc)<\/em> and navigate to Group Policy Objects<\/em><\/li>\n\n\n\n
  2. The following changes should be made in a Group Policy that is applied to all computer objects in the domain. <\/li>\n\n\n\n
  3. Open the desired group policy object by right-clicking on it and clicking on Edit<\/em><\/li>\n\n\n\n
  4. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options<\/em><\/li>\n\n\n\n
  5. Open the policy Network security: Configure encryption types allowed for Kerberos<\/em><\/li>\n\n\n\n
  6. Deactivate the following entries and confirm with a click on OK<\/em>:\n
      \n
    1. DES_CBC_CRC<\/li>\n\n\n\n
    2. DES_CBC_MD5<\/li>\n\n\n\n
    3. RC4_HMAC_MD5<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n
      \n
      \"\"<\/figure>\n<\/div>\n\n\n
      <\/p>\n","protected":false},"excerpt":{"rendered":"
      Check Useage Detect and Remediate RC4 Usage in Kerberos | Microsoft Learn Set all Users to use Kerboros AES128\\256<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7391","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t