pingcastle icon indicating copy to clipboard operation
pingcastle copied to clipboard
verified publisher icon vletoux

Consider RC4 depracted too - not just DES

Open kheldorn opened this issue 4 years ago • 4 comments

Been playing around with PingCastle a little and while it seems to detect DES enabled accounts as a security issue it does not scan for RC4 enabled objects.

Looking at the following links it seems like a good idea to work towards deprecating RC4

  • https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797
  • https://datatracker.ietf.org/doc/html/rfc8429
  • https://adsecurity.org/?p=3458

A common scenario where RC4 is used is apparently Kerberoasting - something I'd personally like to make impossible or at least as hard as possible.

Looking at how the "msDS-SupportedEncryptionTypes" attribute is already evaluated for DES it should be easy enough to add a warning for RC4 to the scanner.

Though it is important to remember that you might not be able to disable RC4 in your domain if you still have clients with the following OS installed: Windows 2000 Server, Windows XP, or Windows Server 2003

See: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos

kheldorn avatar Aug 03 '21 16:08 kheldorn

I'll consider this, but not on the next release. There is no audit framework that considers this and this is also the default for the domain.

vletoux avatar Aug 03 '21 16:08 vletoux

Thanks. That's good enough for me for now.

Just stumbled over it while researching stuff and thought this might be a nice addition for those who want to go above and beyond securing their domain. :)

kheldorn avatar Aug 03 '21 16:08 kheldorn

I believe that disabling RC4 support is part of the CIS level1 benchmarks for 2016/2019/win10 devices.

Possibly Pingcastle could have two checks:

  • check the msDS-SupportedEncryptionTypes attribute for accounts with SPNs set to ensure AES support is enabled, thus ensuring SPNs can be provided in the highest supported encryption type by default
  • check for a GPO that tells clients to disable RC4 support for kerberos authentication, helping to stop the opportunity for an attacker to downgrade to RC4

The latter smells more like an informational level rule as RC4 is still supported and used for the time being.

idnahacks avatar Aug 27 '21 09:08 idnahacks

Did someone see if it is in the current (beta) version?

An-dir avatar Aug 02 '23 16:08 An-dir