VMware PowerCLI

The Best User Interface for your VMware Datacenter!

SSPI without RC4_HMAC_MDB

RC4 has been deemed insecure for years.  Connect-viserver will not pass thru authentication via SSPI without RC4_HMAC_MD5 being enabled.  DOD STIG requirements for Windows 2016 requires that this be turned off.  Please fix this.

  • Guest
  • Oct 5 2018
  • Attach files
  • Guest commented
    05 Oct 16:46

    STIG: V-73685

    Group Title: SRG-OS-000120-GPOS-00061

    Rule Title: Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.

    Discussion: Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.

    Check Text: If the following registry value does not exist or is not configured as specified, this is a finding.

    Registry Hive: HKEY_LOCAL_MACHINE
    Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\

    Value Name: SupportedEncryptionTypes

    Value Type: REG_DWORD
    Value: 0x7ffffff8 (2147483640)

    Fix Text: Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected:

    AES128_HMAC_SHA1
    AES256_HMAC_SHA1
    Future encryption types

    References

    CCI: CCI-000803: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
    NIST SP 800-53 :: IA-7
    NIST SP 800-53A :: IA-7.1
    NIST SP 800-53 Revision 4 :: IA-7
     
    Notes:  changing registry entry to 7ffffffc or adding RC4_HMAC_MD5 to the policy settings allow PowerCLI to pass thru Windows authentication via SSPI to Kerberos