Note If you need to change the default Supported Encryption Type for an Active Directory user or computer, manually add and configure the registry key to set the new Supported Encryption Type. HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18"Īfter installing the Windows updates that are dated on or after November 8, 2022, the following registry key is available for the Kerberos protocol: Look for accounts where DES / RC4 is explicitly enabled but not AES using the following Active Directory query: You may have explicitly defined encryption types on your user accounts that are vulnerable to CVE-2022-37966. Discovering Explicitly Set Session Key Encryption Types To learn more about these vulnerabilities, see CVE-2022-37966. To help secure your environment, install the Windows update that is dated Novemor a later Windows update to all devices, including domain controllers. This update will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already. The Novemand later Windows updates address security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation. Discovering Explicitly Set Session Key Encryption Typesįrequently Asked Questions (FAQs) and Known Issues
0 Comments
Leave a Reply. |