Restricting Kerberos Encryption types to AES on Safeguard Authentication Services (SAS) clients. RC4 removal. (4374209)

Restricting Kerberos Encryption types to AES on Safeguard Authentication Services (SAS) clients. RC4 removal.

Due to the RC4 encryption type no longer being considered secure applications have or are moving away from its use.

Steps to ensure that the Safeguard Authentication Services (SAS) application is no longer using RC4 are required.
 

RC4 support for AD Kerberos authentication is being removed as part of Microsoft's cumulative security updates.

This setup relies on the domain being set up properly to handle AES.

This includes having krbtgt and trusts set to AES and having their passwords changed to make the new keys.

The following article from Microsoft goes into further detail about DC behavior and restricting it to AES only:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

This command helps check trusts for AES enablement:

/opt/quest/bin/vastool kinit host/; for d in `/opt/quest/bin/vastool info domains`; do echo $d; /opt/quest/bin/vastool search -b "cn=system,`echo $d | sed -e 's/\(.*\)/DC=\1/' -e 's/\./,DC=/g'`" -s one "(objectClass=trustedDomain)" dn msds-supportedencryptiontypes; echo; done

If nothing is set, the default behavior depends on the Windows server version of the DC and the state of the changes from:

https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

The krbtgt account will also need to be AES enabled if not already.

Please look to Microsoft articles for further guidance on setting up AD properly for AES.

STEPS for SAS clients:

Run the following commands on each host. This could be automated in a script GPO:
# This tells AD to only give out AES128/256 encrypted tickets for the computer object host/<fqdn> service.
/opt/quest/bin/vastool -u host/ setattrs host/ msds-supportedencryptiontypes 24

# This tells SAS/vastool to only request AES tickets for user's logging in with a password.
/opt/quest/bin/vastool configure vas libdefaults default_etypes aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

# This sets up vasd to remove rc4 keys during each password change so there is no way SAS could validate an rc4 key if AD provided one.
printf '#!/bin/sh\n/opt/quest/bin/vastool ktutil remove -e arcfour-hmac-md5\n' > /opt/quest/libexec/vas/scripts/remove_rc4.sh
chmod +x /opt/quest/libexec/vas/scripts/remove_rc4.sh
/opt/quest/bin/vastool configure vas vasd password-change-script /opt/quest/libexec/vas/scripts/remove_rc4.sh

# Wait for vasd parent process to see the vas.conf changes from above before continuing
sleep 31

# Have host/ rotate it's password and impliment the new script
/opt/quest/bin/vastool -u host/ passwd -r

# Verify that there are no keys other than AES in the keytab.
/opt/quest/bin/vastool ktutil list

# Use host/ as both a user and a user logging into host/ as a service to check ticket etypes.
/opt/quest/bin/vastool kinit -S host/ host/
/opt/quest/bin/vastool klist -v

/opt/quest/bin/vastool kdestroy > /dev/null; /opt/quest/bin/vastool kinit -S host/ host/; /opt/quest/bin/vastool klist -v | grep -e "et e"  -e "on k" | sed 1,2d

NOTE: If a keytab for a service account was created with < QAS 4.1.5 the AES keys could be salted incorrectly, breaking them. The password / keytab should be re-made with a newer SAS version or generated from a Windows system.



 

438458

There are plans to implement an AES-only configuration feature in a future version of SAS. For reference, the change request ID for this feature is 438458. This KB is to assist in meeting audit requirements that are needed before that is released.