Configuring Group policy using powershell to disable RC4 Kerberos etype

N

Niranjan MR

I am trying to come up with a power shell script to disable RC4 kerberos encryption type on Windows 2012 R2 (assuming it's similar in Windows 2016 and 2019).

On Windows 2012 R2, I checked the below setting:

Approach1:

Administrative Tools->Group Policy management->Edit Default Domain Policy->Computer Configuration->Policies-> Windows Settings-> Security Settings-> Local Policies-> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: AES_128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types.

I came up with below script

#Powershell script to disable RC4 encryption type when doing kerberos exchanges
Import-Module ActiveDirectory
Import-Module GroupPolicy

# Define variables
$GPOName = 'Disable-RC4-etype'
$basedn = ( [ADSI]"LDAP://RootDSE" ).defaultNamingContext.Value

#create New GPO
$GPO = New-GPO -Name $GPOName

Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `
-Key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\kerberos\parameters' `
-Type DWord -ValueName 'supportedencryptiontypes' -Value 31 | out-null

After updating GPO using "gpupdate /force", and click on Group Policy objects and check the setting under the defined Group policy i still see the Network security: Configure encryption types allowed for Kerberos" as Not Defined.

Continue reading...
 
Back
Top Bottom