UCF STIG Viewer Logo

Kerberos encryption types must be configured to prevent the use of DES encryption suites.


Overview

Finding ID Version Rule ID IA Controls Severity
V-21954 WN12-SO-000064 SV-53179r1_rule ECSC-1 Medium
Description
Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES encryption suites.
STIG Date
Windows Server 2012 Member Server Security Technical Implementation Guide 2014-01-07

Details

Check Text ( C-47485r2_chk )
Verify that DES encryption types are not allowed for Kerberos.

If the following registry value does not exist, this is not a finding:

If the registry value does exist and is configured as specified, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Sofware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\

Value Name: SupportedEncryptionTypes

Type: REG_DWORD
Value: 1, 2, or 3 are a finding.
Fix Text (F-46105r1_fix)
The default configuration supports this requirement. If Kerberos encryption types must be configured, ensure that the following are not selected:

DES_CBC_CRC
DES_CBC_MD5

If the policy for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Configure encryption types allowed for Kerberos" is configured, only the following selections are allowed:

RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types