It’s Time to Deploy Kerberos Armoring

It doesn’t matter whether you refer to it as Kerberos Armoring, Flexible Authentication Secure Tunneling (FAST), RFC4581, RFC6113, or Kerberos pre-authentication… it is time to deploy it in your Active Directory environments.

Note:
EAP-FAST is the authentication method described in RFC4581. Kerberos Armoring is Microsoft’s implementation of this standard.

About Kerberos Armoring

Kerberos Armoring is a security feature in Active Directory Domain Services that was introduced with Windows Server 2012. This new feature solves common security problems with Kerberos and also makes sure clients do not fall back to less secure legacy protocols or weaker cryptographic methods.

Kerberos Armoring is part of the framework for Kerberos Pre-authentication. According to the RFC, it provides a protected channel between the client and the Key Distribution Center (KDC). In Active Directory speak, a KDC is a domain controller. When enabled, it can deliver key material used to strengthen the reply key within the protected channel.

With Kerberos Armoring in place, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm. With Kerberos Armoring enabled and required, brute forcing the reply key is no longer possible and the highest possible cryptographic protocols and cipher strengths are guaranteed to be used by Windows-based clients in their pre-authentication traffic with Windows Server 2012-based Domain Controllers (and up).

When FAST is required, it paves the way to the Compound Authentication functionality in Dynamic Access Control (DAC), allowing authorization based on the combination of both user claims and device claims.

Why It Is Time

In the September 2022 cumulative updates for all supported Windows Server versions, two vulnerabilities were addressed in Windows Kerberos, that could lead to successful Adversary in the Middle (AitM) attacks and subsequent SYSTEM privileges, when Kerberos Armoring is not enabled:

• CVE-2022-33647 Windows Kerberos Elevation of Privilege Vulnerability
• CVE-2022-33679 Windows Kerberos Elevation of Privilege Vulnerability

For CVE-2022-33679, specifically, for a user object to be vulnerable its Do not require Kerberos preauthentication option needs to be enabled and must have been configured with a RC4 key.

Both vulnerabilities are addressed with the September 2022 cumulative updates, but these vulnerabilities tell a cautionary tale to all Active Directory admins, that their Active Directory is (and remains) exposed to many flaws in both the Kerberos protocol and Microsoft’s implementation of Windows Kerberos. Kerberos was never envisioned to be used the way we use it today.

Microsoft has made many improvements in Active Directory over the last two decades. Especially, Windows Server 2012 stands out, as it contains a lot of security enhancements for real-world Kerberos environments. One of these 10-year-old enhancements is the topic for today.

Requirements for Kerberos Armoring

To be able to use Kerberos Armoring, the following requirements need to be met:

1. All domain controllers in the domain need to run at least Windows Server 2012
2. The Active Directory domain needs to run the Windows Server 2012 Domain Functional Level (DFL), or up.
3. Devices in scope for FAST need to run Windows 8, or up.

Enabling Kerberos Armoring

Enabling Kerberos Armoring consists of changes to all the domain members and changes on the domain controllers. The best way to do so in my opinion is using Group Policy.

ENABLING KERBEROS ARMORING ON DOMAIN MEMBERS

To enable Kerberos Armoring on all domain members, perform these steps:

• Sign in interactively to a domain-joined Windows-based host that has the Group Policy Management feature installed.
• Open Group Policy Management (gpmc.msc).
• In the left navigation pane, expand the Forest node.
• Expand the Domains node, and then navigate to the domain where you want to enable Kerberos Armoring.
• Expand the domain name.
• Right-click the Group Policy Objects node and select New from the menu. The New GPO pop-up window appears.
• In the New GPO pop-up window, fill in the name: field for the GPO. Make sure that you don't select a source starter GPO.
• Click OK to create the GPO.
• In the left navigation pane, right-click the newly created GPO and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the left navigation pane of the Group Policy Management Editor window, expand Computer Configuration, then Administrative Templates, System and finally Kerberos.
• In the main pane, double-click the Kerberos client support for claims, compound authentication and Kerberos armoring policy setting. The Kerberos client support for claims, compound authentication and Kerberos armoring window appears:

• Select the Enabled option.
• Click OK to save the setting.
• Close the Group Policy Management Editor window.
• In the Group Policy Management window, right-click the organizational unit (OU) that contains domain-joined devices and/or domain-joined servers.
• Right-click the OU and select Link an Existing GPO… from the menu. The Select GPO window appears.
• In the Select GPO window, select the previously created GPO from the Group Policy objects: list.
• Click OK to link the GPO.
• Repeat these last four steps to apply the Group Policy object to all OUs with domain-joined hosts.

REQUIRING KERBEROS ARMORING FROM THE DOMAIN CONTROLLERS

To require Kerberos Armoring from the Domain Controllers, perform these steps:

• Sign in interactively to a domain-joined Windows-based host that has the Group Policy Management feature installed.
• Open Group Policy Management (gpmc.msc).
• In the left navigation pane, expand the Forest node.
• Expand the Domains node, and then navigate to the domain where you want to enable Kerberos Armoring.
• Expand the domain name.
• Right-click the Group Policy Objects node and select New from the menu.
• The New GPO pop-up window appears.
• In the New GPO pop-up window, fill in the name: field for the GPO. Make sure that you don't select a source starter GPO.
• Click OK to create the GPO.
• In the left navigation pane, right-click the newly created GPO and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the left navigation pane of the Group Policy Management Editor window, expand Computer Configuration, then Administrative Templates, System and finally KDC.
• In the main pane, double-click the KDC support for claims, compound authentication and Kerberos armoring policy setting. The KDC support for claims, compound authentication and Kerberos armoring window appears:

• Select the Enabled option.
• From the drop-down list, select Fail unarmored authentication requests.
• Click OK to save the setting.
• In the main screen, also double-click the Fail authentication requests when Kerberos armoring is not available policy setting.
• Select the Enabled option.
• Click OK to save the setting.
• Close the Group Policy Management Editor window.
• In the Group Policy Management window, right-click the Domain Controllers organizational unit (OU).
• Right-click the OU and select Link an Existing GPO… from the menu. The Select GPO window appears.
• In the Select GPO window, select the previously created GPO from the Group Policy objects: list.
• Click OK to link the GPO.

Concluding

Kerberos v5 originates in 1993 and was envisioned as a protocol for safe networks. Any admin who has ever experienced a ransomware attack can tell you that there is no such thing as a safe network. Now is the time for Active Directory admins to effectuate this sentiment and harden domain controllers.

Active Directory Monitoring and Reporting

Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.

Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.