Microsoft Security Advisory 3057154

Update to Harden Use of DES Encryption

Published: July 14, 2015 | Updated: December 8, 2015

Version: 1.1

Executive Summary

Microsoft is announcing the availability of an update to harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks. DES is considered a weak cipher due to well-known brute force and faster than brute force attacks. The cryptographic algorithm has also been removed from the standard [RFC 6649]. To further protect our users, Microsoft has disabled DES by default in Windows 7 and Windows Server 2008 R2 and later operating systems. However, this update does allow DES to be used between client and server to address scenarios in which DES is still required for application compatibility reasons. The improvement is part of ongoing efforts to bolster the effectiveness of encryption in Windows and still support legacy line-of-business (LOB) applications.

The following accounts can never use DES to protect TGTs and service tickets because all Windows domain controllers that support the Kerberos protocol also support at least RC4:

  • krbtgt account
  • Domain controller accounts

In addition, the following accounts cannot use DES to protect TGTs and service tickets unless DES is the only supported encryption type:

  • computer accounts
  • service accounts
  • trust accounts
  • user accounts

For additional details and deployment guidance, see Microsoft Knowledge Base Article 3057154.

Affected Software

|Operating System| |------------| |Windows Server 2003 Service Pack 2| |Windows Server 2003 R2 Service Pack 2| |Windows Server 2003 x64 Edition Service Pack 2| |Windows Server 2003 R2 x64 Edition Service Pack 2| |Windows Server 2003 with SP2 for Itanium-based Systems| |Windows Vista Service Pack 2| |Windows Vista x64 Edition Service Pack 2| |Windows Server 2008 for 32-bit Systems Service Pack 2| |Windows Server 2008 for x64-based Systems Service Pack 2| |Windows Server 2008 for Itanium-based Systems Service Pack 2| |Windows 7 for 32-bit Systems Service Pack 1| |Windows 7 for x64-based Systems Service Pack 1| |Windows Server 2008 R2 for x64-based Systems Service Pack 1| |Windows Server 2008 R2 for Itanium-based Systems Service Pack 1| |Windows 8 for 32-bit Systems| |Windows 8 for x64-based Systems| |Windows 8.1 for 32-bit Systems| |Windows 8.1 for x64-based Systems| |Windows Server 2012| |Windows Server 2012 R2| |Windows RT| |Windows RT 8.1| |Server Core installation option| |Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)| |Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)| |Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)| |Windows Server 2012 (Server Core installation)| |Windows Server 2012 R2 (Server Core installation)|

Advisory FAQ

What is the scope of the advisory? 
To announce the availability of an update to harden scenarios in which Data Encryption Standard (DES) encryption keys are allowed for domain accounts.

What does the update do? 
The update allows clients to still access services that use DES without allowing them to use DES with the Kerberos Key Distribution Center (KDC).

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (July 14, 2015): Advisory published.
  • V1.1 (December 8, 2015): Advisory updated to include more information about disabling DES by default in Windows 7 and Windows Server 2008 R2 and later operating systems. The update allows DES to be used between client and server to address scenarios in which DES is still required for application compatibility reasons.

Page generated 2015-12-03 13:53Z-08:00.