AD Starter Scan - Weak Kerberos encryption

medium Nessus Plugin ID 150481

Synopsis

A weak Kerberos algorithm is configured on a user account.

Description

Active Directory uses the Kerberos protocol for authentication. As it is an old protocol, numerous security hardening measures have been taken since its creation, and some legacy options must be disabled to ensure proper security posture.

The original specifications of the Kerberos 5 network authentication protocol [RFC1510] support only DES for encryption.
For many years now, the cryptographic community has regarded DES as insecure, mostly because of its small key size. As a result, DES is now a deprecated and unsafe cryptographic cipher. Even though it can be used by Kerberos in Active Directory, it should be disabled.

By default, this check skips disabled accounts. To also check disabled accounts, please enable thorough tests.

Note: The AD Starter Scan and associated plugins are intended to be used with smaller AD deployments for purposes of preliminary analysis. Accurate preliminary analysis can be expected for AD deployments with up to 5000 users, groups or machines and incomplete results will be returned for larger AD deployments with Nessus, Security Center and Vulnerability Management. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

The Kerberos protocol should not be configured to use DES algorithm. Nowadays, this is properly configured by default and is correctly disabled, but some legacy accounts might still have this configuration set.

See Also

http://www.nessus.org/u?14c411d0

https://tools.ietf.org/html/rfc4120

https://www.kerberos.org/software/tutorial.html

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: Medium

ID: 150481

File Name: adsi_kerberos_enc.nbin

Version: 1.111

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 11/22/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: Medium

Base Score: 4.1

Vector: CVSS2#AV:L/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 4.5

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: ldap_enum_person/available