The use of DES encryption suites must not be allowed for Kerberos encryption.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-21954 | WN12-SO-000064 | SV-53179r2_rule | Medium |
| Description |
|---|
| Certain encryption types are no longer considered secure. By default, Windows 2012/R2 does not use the DES encryption suites. If the configuration of allowed Kerberos encryption suites is needed, the DES encryption suites must not be included. |
| STIG | Date |
|---|---|
| Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Guide | 2016-07-22 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-66513r3_fix) |
|---|
| The default system configuration does not use DES encryption for Kerberos and supports this requirement. If Kerberos encryption types must be configured, ensure the following are not selected: DES_CBC_CRC DES_CBC_MD5 If the policy for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" is configured, only the following selections are allowed: RC4_HMAC_MD5 AES128_HMAC_SHA1 AES256_HMAC_SHA1 Future encryption types |