Academy hub

Final months for RC4

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐—™๐—ถ๐—ป๐—ฎ๐—น ๐—บ๐—ผ๐—ป๐˜๐—ต๐˜€ ๐—ณ๐—ผ๐—ฟ ๐—ฅ๐—–๐Ÿฐ ๐—ถ๐—ป ๐—ž๐—ฒ๐—ฟ๐—ฏ๐—ฒ๐—ฟ๐—ผ๐˜€?

Microsoft is phasing out RC4 for Kerberos service tickets โ€” and the timeline is out.

๐—ข๐—ป ๐—๐—ฎ๐—ป ๐Ÿญ๐Ÿฏ, ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒ, an update shipped that starts the journey toward stopping default issuance of ๐˜€๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐—ฐ๐—ฒ ๐˜๐—ถ๐—ฐ๐—ธ๐—ฒ๐˜๐˜€ with legacy encryption (like RC4). Why? Because ๐—ฅ๐—–๐Ÿฐ can still be selected by default depending on how your AD + service accounts are configured.

(๐˜ˆ๐˜ฑ๐˜ฐ๐˜ญ๐˜ฐ๐˜จ๐˜ช๐˜ฆ๐˜ด, ๐˜ฃ๐˜ถ๐˜ต ๐˜ต๐˜ฉ๐˜ช๐˜ด ๐˜ณ๐˜ฆ๐˜ข๐˜ญ๐˜ญ๐˜บ ๐˜ค๐˜ฐ๐˜ถ๐˜ญ๐˜ฅ ๐˜ฏ๐˜ฐ๐˜ต ๐˜ฃ๐˜ฆ ๐˜ด๐˜ฉ๐˜ฐ๐˜ณ๐˜ต๐˜ฆ๐˜ณ…)
โธป

๐Ÿ—“๏ธ ๐—ง๐—ถ๐—บ๐—ฒ๐—น๐—ถ๐—ป๐—ฒ

1๏ธโƒฃ ๐—๐—ฎ๐—ป ๐Ÿญ๐Ÿฏ, ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒ โ€” ๐—œ๐—ป๐—ถ๐˜๐—ถ๐—ฎ๐—น ๐——๐—ฒ๐—ฝ๐—น๐—ผ๐˜†๐—บ๐—ฒ๐—ป๐˜
๐Ÿ”น Adds audit/warning events forย default RC4 usage
๐Ÿ”น Introducesย RC4DefaultDisablementPhase

2๏ธโƒฃ ๐—”๐—ฝ๐—ฟ๐—ถ๐—น ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒ โ€” ๐—ฆ๐—ฒ๐—ฐ๐—ผ๐—ป๐—ฑ ๐——๐—ฒ๐—ฝ๐—น๐—ผ๐˜†๐—บ๐—ฒ๐—ป๐˜
๐Ÿ”น Accountsย withoutย msds-SupportedEncryptionTypesย are treated asย AES
๐Ÿ”น Effective behavior:ย RC4 no longer assumed by default
๐Ÿ”น If RC4 is needed:ย enable itย viaย msds-SupportedEncryptionTypes

3๏ธโƒฃ ๐—๐˜‚๐—น๐˜† ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒ โ€” ๐—˜๐—ป๐—ณ๐—ผ๐—ฟ๐—ฐ๐—ฒ๐—บ๐—ฒ๐—ป๐˜
๐Ÿ”น RC4DefaultDisablementPhaseย isย removed
๐Ÿ”น Onlyย DefaultDomainSupportedEncTypesย remains (not recommended)

โธป

๐Ÿงพย ๐—ก๐—ฒ๐˜„ ๐—˜๐˜ƒ๐—ฒ๐—ป๐˜ ๐—œ๐——๐˜€

๐—–๐—น๐—ถ๐—ฒ๐—ป๐˜-๐—ฟ๐—ฒ๐—น๐—ฎ๐˜๐—ฒ๐—ฑย (client-advertised encryption types)

๐Ÿ”ธ ๐Ÿฎ๐Ÿฌ๐Ÿญ / ๐Ÿฎ๐Ÿฌ๐Ÿฏ
โ€ข Client advertises only RC4 (Advertised Etypes)
โ€ข Service has no msds-SET
โ€ข DC has no DDSET
โ€ข RC4DefaultDisablementPhase = 1
โ€ข 201 (Warning) โ†’ becomes 203 (Error) in Enforcement
โ€ข Logged per request
โ€ข Not logged if DefaultDomainSupportedEncTypes is manually defined

๐Ÿ”ธ ๐Ÿฎ๐Ÿฌ๐Ÿฒ / ๐Ÿฎ๐Ÿฌ๐Ÿด
โ€ข Client advertises only RC4
โ€ข AND either:
โ€ข Service msds-SET = AES-SHA1 only, OR
โ€ข DC DDSET = AES-SHA1 only
โ€ข RC4DefaultDisablementPhase = 1
โ€ข 206 (Warning) โ†’ 208 (Error) in Enforcement
โ€ข Logged per request

โธป

๐—ฆ๐—ฒ๐—ฟ๐˜ƒ๐—ถ๐—ฐ๐—ฒ-๐—ฟ๐—ฒ๐—น๐—ฎ๐˜๐—ฒ๐—ฑย (service account key material / encryption configuration)

๐Ÿ”ธ ๐Ÿฎ๐Ÿฌ๐Ÿฎ / ๐Ÿฎ๐Ÿฌ๐Ÿฐ
โ€ข Service account key material contains only RC4 keys
โ€ข Service has no msds-SET
โ€ข DC has no DDSET
โ€ข RC4DefaultDisablementPhase = 1
โ€ข 202 (Warning) โ†’ 204 (Error) in Enforcement
โ€ข Not logged if DefaultDomainSupportedEncTypes is manually defined

๐Ÿ”ธ ๐Ÿฎ๐Ÿฌ๐Ÿณ / ๐Ÿฎ๐Ÿฌ๐Ÿต
โ€ข Service account key material contains only RC4 keys
โ€ข AND either:
โ€ข Service msds-SET = AES-SHA1 only, OR
โ€ข DC DDSET = AES-SHA1 only
โ€ข RC4DefaultDisablementPhase = 1
โ€ข 207 (Warning) โ†’ 209 (Error) in Enforcement

โธป

๐——๐—– ๐—ฐ๐—ผ๐—ป๐—ณ๐—ถ๐—ด๐˜‚๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ฎ๐˜„๐—ฎ๐—ฟ๐—ฒ๐—ป๐—ฒ๐˜€๐˜€

๐Ÿ”ธ ๐Ÿฎ๐Ÿฌ๐Ÿฑ
โ€ข DC HAS DDSET defined and it includes anything except AES-SHA1
โ€ข RC4DefaultDisablementPhase = 1 or 2
โ€ข Purpose: to highlight insecure behavior Microsoft will not โ€œfix for youโ€
โ€ข Logged on KDCSVC start

โธป

If youโ€™re still relying on RC4 anywhere, ๐—ป๐—ผ๐˜„ ๐—ถ๐˜€ ๐˜๐—ต๐—ฒ ๐˜๐—ถ๐—บ๐—ฒ ๐˜๐—ผ ๐—ณ๐—ถ๐—ป๐—ฑ ๐—ผ๐˜‚๐˜ where and why โ€” before April turns โ€œwarningsโ€ into production surprises.

buy a course