N
Niranjan MR
I am trying to come up with a power shell script to disable RC4 kerberos encryption type on Windows 2012 R2 (assuming it's similar in Windows 2016 and 2019).
On Windows 2012 R2, I checked the below setting:
Approach1:
Administrative Tools->Group Policy management->Edit Default Domain Policy->Computer Configuration->Policies-> Windows Settings-> Security Settings-> Local Policies-> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: AES_128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types.
I came up with below script
#Powershell script to disable RC4 encryption type when doing kerberos exchanges
Import-Module ActiveDirectory
Import-Module GroupPolicy
# Define variables
$GPOName = 'Disable-RC4-etype'
$basedn = ( [ADSI]"LDAP://RootDSE" ).defaultNamingContext.Value
#create New GPO
$GPO = New-GPO -Name $GPOName
Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `
-Key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\kerberos\parameters' `
-Type DWord -ValueName 'supportedencryptiontypes' -Value 31 | out-null
After updating GPO using "gpupdate /force", and click on Group Policy objects and check the setting under the defined Group policy i still see the Network security: Configure encryption types allowed for Kerberos" as Not Defined.
Continue reading...
On Windows 2012 R2, I checked the below setting:
Approach1:
Administrative Tools->Group Policy management->Edit Default Domain Policy->Computer Configuration->Policies-> Windows Settings-> Security Settings-> Local Policies-> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: AES_128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types.
I came up with below script
#Powershell script to disable RC4 encryption type when doing kerberos exchanges
Import-Module ActiveDirectory
Import-Module GroupPolicy
# Define variables
$GPOName = 'Disable-RC4-etype'
$basedn = ( [ADSI]"LDAP://RootDSE" ).defaultNamingContext.Value
#create New GPO
$GPO = New-GPO -Name $GPOName
Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer `
-Key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\kerberos\parameters' `
-Type DWord -ValueName 'supportedencryptiontypes' -Value 31 | out-null
After updating GPO using "gpupdate /force", and click on Group Policy objects and check the setting under the defined Group policy i still see the Network security: Configure encryption types allowed for Kerberos" as Not Defined.
Continue reading...