Remove the highly insecure DES encryption from the User accounts

Why Consider this

DES encryption uses a 56-bit key to encrypt the content and is now considered to be highly insecure. Hence, accounts that can use DES to authenticate to services are at significantly greater risk of having that account’s logon sequence decrypted and the account compromised.

Watch a Customer Engineer explaining the issue

Context & Best Practices

DES is considered weak cryptography and is no longer enabled by default in Kerberos authentication in Windows 7 and Windows Server 2008 R2.

This setting used to be required if the user account or trust was running on an operating system, Java platform, or Kerberos version did not support RC4. Therefore, the account was changed to support DES only. This requirement can also apply to trusts with older, non-Windows Kerberos realms. Even if the operating system or platform was upgraded to support RC4 or Advanced Encryption Standard (AES), accounts may not have been updated and will still using only DES. Another possible issue is that an application could have hard-coded Kerberos encryption types.

Because the Key length for DES is only 56-bit, it is considered that even unspecialized computer hardware can break DES-encrypted content in less than two days. Hence, you are recommended to remove this setting if present.

Suggested Actions

On all the identified user accounts, review any requirements for accounts to use the DES encryption standard and then remove the Use Kerberos DES encryption types for this accountoption**.**

The following cmdlet will identify all user accounts where DES encryption is enabled.

Get-ADUser -Filter {UserAccountControl -band 0x200000}

Learn More

For additional guidance and remediation recommendations on this issue, see the Best Practice Analyzer for Active Directory issue AD DS: User accounts and trusts in this domain should not be configured for DES only, https://technet.microsoft.com/library/ff646918(WS.10).aspx