CCE-47787-7Platform: cpe:/o:microsoft:windows_server_2016 | Date: (C)2022-09-02 (M)2023-07-04 |
This policy setting allows you to set the encryption types that Kerberos is allowed to use.
If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Countermeasure:
Restrict the allowed encryption types to match your organization's policies.
Potential Impact:
If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.
Fix:
(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork Security: Configure encryption types allowed for Kerberos
(2) REG: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemKerberosParameters!SupportedEncryptionTypes
Parameter:
[AES128_HMAC_SHA1,AES256_HMAC_SHA1,Future encryption types/disabled]
Technical Mechanism:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Configure encryption types allowed for Kerberos
(2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!SupportedEncryptionTypes
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:83721 |