Lessons in Disabling RC4 in Active Directory
3 days ago
- #Active Directory
- #RC4
- #Kerberos
- RC4 is a stream cipher similar to a one-time pad but with significant vulnerabilities.
- Disabling RC4 in Active Directory can cause operational issues due to its unique properties.
- RC4's vulnerabilities include predictable key scheduling and susceptibility to attacks when observing large amounts of data encrypted with a single key.
- Active Directory initially used RC4 for seamless migration from NTLM to Kerberos without requiring password changes.
- RC4 in Kerberos doesn't require a salt, unlike AES, which complicates transitions when disabling RC4.
- Keytabs and salt mismatches can cause failures when RC4 is disabled, especially if usernames or realms have changed.
- The domain admin scenario during the first DC promotion highlights a critical edge case where RC4's absence causes issues.
- Microsoft provides guidance on disabling RC4, emphasizing the need for careful planning and understanding of dependencies.