Forum Discussion

JG-Burke's avatar
JG-Burke
Brass Contributor
Oct 13, 2022

Remediating - Stop Weak Cipher Usage

Description
Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade.
 
Under Exposed Identities it shows Protocol Kerberos and Cipher Rc4HMac.
 
Attempted resolution:
In AD - set "This account supports Kerberos AES 256 bit encryption". (and turned on 128 bit)
 
It has been several days and the vulnerability is not clearing for any accounts.
 
I also applied a GPO to all workstations:
Policy Setting
Network security: Configure encryption types allowed for KerberosEnabled
DES_CBC_CRCDisabled
DES_CBC_MD5Disabled
RC4_HMAC_MD5Disabled
AES128_HMAC_SHA1Enabled
AES256_HMAC_SHA1Enabled
Future encryption typesEnabled
 
Any other suggestions?
identity protection
microsoft 365 defender
  • Or Tsemah's avatar
    Or Tsemah
    Icon for Microsoft rankMicrosoft
    Nov 06, 2022

    JG-Burke 

    Hi, if you are certain that the AES configuration for the affected account are correct but it does not disappear from the improvement action list of exposed entities, please open a support case so we can troubleshoot properly.

     

    Thanks, Or Tsemah

    • JG-Burke's avatar
      JG-Burke
      Brass Contributor
      Dec 14, 2022
      Thanks -- They have started clearing. I guess they have to change their password before the change kicks in and they are removed from the vulnerability list.

Resources