Settings/Values for DefaultDomainSupportedEncTypes etc.

Masuch, Michael 36 Reputation points
2022-11-27T16:44:17.653+00:00

I am trying to set our domain to AES128, AES256 (and future…) encryptions for Kerberos only.

Mostly the recommended values for DefaultDomainSupportedEncTypes, SupportedEncryptionTypes, msDS-SupportedEncryptionTypes are 0x18.

If I follow https://learn.microsoft.com/de-de/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919 and would like to enable FAST etc. then I would compute 0x0f0018.

Looking at other sources and looking up the value that the GPO "Network security: Configure encryption types allowed for Kerberos" sets, I encounter 0x7ffffff8 .

Which values would you recommend, for which setting (DefaultDomainSupportedEncTypes, SupportedEncryptionTypes, msDS-SupportedEncryptionTypes)?

Best regards,
Michael

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,781 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Masuch, Michael 36 Reputation points
    2022-11-27T22:35:21.463+00:00

    Dear @risolis ,

    Thanks again for your quick answer.

    Yes, I am aware of theese articles. That's where my questions arose from.
    Here they state, that the value of DefaultDomainSupportedEncTypes is set to 0x27. But following the very below linked page, it could have been also 0x000f 0027. And if I enable the GPO "encryption types allowed for Kerberos" to (DES-CBC-CRC + DES-CBC-MD5 + RC4-HMAC + future) than the registry value of SupportedEncryptionTypes would be 0x7fff ffe7.

    1 person found this answer helpful.

  2. Masuch, Michael 36 Reputation points
    2022-12-02T16:20:55.653+00:00

    Hi @risolis ,

    there is not stated what I am looking for.

    Maybe someone from Mircosoft developing this systems can have a lock?

    Best,
    Michael

    1 person found this answer helpful.
    0 comments No comments

  3. risolis 8,711 Reputation points
    2022-11-27T19:06:32.727+00:00

    Hello @Masuch, Michael

    Thank you for sharing this question on this community space.

    After reading your case scenario description, I am wondering if you have reviewed the following info...

    https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

    https://dirteam.com/sander/2022/11/08/spend-some-time-on-properly-configuring-and-monitoring-your-domain-controllers-this-patch-tuesday/

    https://borncity.com/win/2022/11/10/updates-for-windows-nov-2022-changes-in-netlogon-and-kerberos-protocol-causing-issues/

    I hope you can find this useful to overcome your concern.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  4. risolis 8,711 Reputation points
    2022-11-28T00:22:54.733+00:00

    Hi @Masuch, Michael

    I was taking a look at this concern from IANA documentation, and I was able to find the same cipher suites stated by you, but it seems to be deprecated as mentioned down below:

    DES-CBC-CRC/DES-CBC-MD5/RC4-HMAC

    https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  5. risolis 8,711 Reputation points
    2022-11-29T04:40:16.913+00:00
    0 comments No comments