Network Security: Configure encryption types allowed for KerberosID: oval:org.secpod.oval:def:8797 | Date: (C)2013-01-21 (M)2023-05-09 |
Class: COMPLIANCE | Family: windows |
The Network Security: Configure encryption types allowed for Kerberos setting should be configured correctly.
Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES encryption suites. This policy is supported on at least Windows 7 or Windows Server 2008 R2. When this policy setting is not defined, all Crypto systems except DES will be available for encryption. Users can define this policy setting to enable/disable each individual Crypto system, including DES.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Configure encryption types allowed for Kerberos
(2) KEY: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
Platform: |
Microsoft Windows Server 2008 R2 |