Microsoft security advisory: Update to harden use of DES encryption: July 14, 2015

Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Standard

INTRODUCTION


Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website:

More Information


Important
  • All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
  • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

FAQ

How do I make sure that services that can use only DES encryption for Kerberos authentication (DES for Kerberos) will continue to work?

You can configure service accounts to support only Data Encryption Standard (DES) encryption types by enabling the Use Kerberos DES encryption types for this account setting in the account management UI. Specifically, click to select the Use DES check box for the properties of a security principal in the Active Directory Users and Computers snap-in (DSA.MSC). This sets a Use DES-ONLY flag in the User account control attribute of that account. This setting overrides any other encryption types that are configured so that DES is the only encryption type.

Configuring accounts in this manner gives domain administrators a simple method to identify all accounts on "DES-only" Kerberos platforms and to determine when they are all decommissioned so that Group Policy objects that add DES support to Windows can be updated or removed. 

Because of the known weakness in DES, we advise that DES-only services should have access only to public data and should never have access to data that would have any business impact if it was compromised.

How do I make sure that services that are accessed by clients that use only DES for Kerberos will continue to work?

DES must be in the list of supported encryption types (msDS-SupportedEncryptionTypes attribute) on the service’s account object.

When a domain-joined host is running Windows Server 2008 or later versions, services that use the system’s identity have only to enable the host to support DES. Windows will automatically configure the computer account to use the encryption types that are supported by the operating system. Windows 2008 R2 managed service accounts are also automatically configured.

If the service requires manual configuration, accounts should be configured by using the account type’s PowerShell cmdlet together with the KerberosEncryptionType parameter to make sure that all encryption types are configured correctly. By using the Active Directory Users & Computers or Active Directory Administrative Center to configure the account to support DES, you make the service DES only. This will break clients that don't support DES.

How do I configure users who periodically use platforms that use DES only?

Users on DES-only Kerberos platforms should never access data that may have a business impact. They should access only public data. These users should be issued separate accounts that don't have access to data that may have a business impact. These accounts may be configured to use DES-only encryption.

How do I check DES usage in my environment?

See Hunting down DES in order to securely deploy Kerberos.

How to obtain and install the update


Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
Get security updates automatically.

Note For Windows RT and Windows RT 8.1, this update is available through Windows Update only.

More Information


File information