๐ Secure Bits ๐ก
๐ช๐ฎ๐ป๐ ๐๐ผ ๐ฑ๐ถ๐๐ฎ๐ฏ๐น๐ฒ ๐ฅ๐๐ฐ ๐ฎ๐ป๐ฑ ๐ฒ๐ป๐ณ๐ผ๐ฟ๐ฐ๐ฒ ๐๐๐ฆ ๐ถ๐ป ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐?
You should โ butย ๐ฑ๐ผ๐ปโ๐ ๐ฑ๐ผ ๐ถ๐ ๐ฏ๐น๐ถ๐ป๐ฑ๐น๐.
Enforcing strong authentication (like AES-only Kerberos) is an important part of ๐บ๐ผ๐ฑ๐ฒ๐ฟ๐ป ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐๐ฎ๐๐ฒ๐น๐ถ๐ป๐ฒ๐ย โ just like LDAP signing or NTLM hardening. But in older environments,ย RC4 is still widely used, and flipping the switch ๐ฐ๐ฎ๐ป ๐ฏ๐ฟ๐ฒ๐ฎ๐ธ ๐๐ต๐ถ๐ป๐ด๐ ๐ณ๐ฎ๐๐.
๐ย Donโt deploy security baselines without visibility first.
๐๐ฒ๐ฟ๐ฒโ๐ ๐ต๐ผ๐ ๐๐ผ ๐๐ฎ๐ณ๐ฒ๐น๐ ๐๐ฟ๐ฎ๐ฐ๐ธ ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ ๐ฒ๐ป๐ฐ๐ฟ๐๐ฝ๐๐ถ๐ผ๐ป ๐๐๐ฎ๐ด๐ฒ:
๐ ๐๐ป๐ฎ๐ฏ๐น๐ฒ ๐๐ต๐ฒ ๐ณ๐ผ๐น๐น๐ผ๐๐ถ๐ป๐ด ๐ฎ๐๐ฑ๐ถ๐ ๐ฝ๐ผ๐น๐ถ๐ฐ๐ถ๐ฒ๐:
โ Advanced Audit Policy ConfigurationAccount Logon
โ Audit Kerberos Authentication Service
โ Audit Kerberos Service Ticket Operations
๐ง๐ต๐ถ๐ ๐ฒ๐ป๐ฎ๐ฏ๐น๐ฒ๐ ๐๐๐ฒ๐ป๐ ๐๐๐ ๐ฐ๐ณ๐ฒ๐ด ๐ฎ๐ป๐ฑ ๐ฐ๐ณ๐ฒ๐ต, ๐๐ต๐ถ๐ฐ๐ต ๐น๐ผ๐ด:
๐ธ Ticket Encryption Type
๐ธ Pre-Authentication Encryption Type
๐๐ป๐ฑ ๐๐ถ๐ป๐ฐ๐ฒ ๐๐ฎ๐ป ๐ฎ๐ฌ๐ฎ๐ฑ โ ๐ฒ๐
๐๐ฟ๐ฎ ๐ณ๐ถ๐ฒ๐น๐ฑ๐ ๐น๐ถ๐ธ๐ฒ:
๐น Advertised Etypes
๐น Supported Encryption Types
๐น Available Keys
Once you seeย which accounts still rely on ๐ฅ๐๐ฐ, you can fix them โ andย safely enforce AESย across the domain.
โ Audit first. Enforce later. Break nothing.
๐ Iโll continue this series onย real-world challengesย when applying security baselines โ and how to do it without breaking legacy systems.
