サイバーセキュリティに関するブログを始めます
自分の備忘も兼ねて、色々調べたり、学んだりしたことを書き留めていきます。CISSP-ISSAPやOSCPの取得を通じてインプットは大分鍛えることができたと思うので、今後はアウトプットすることで更にレベルアップしていければと思います。
Why can we disable Kerberos Pre-authentication?
AS-REP Roasting is a famous technique to attack the Active Directory. You can get a lot of information saying something like "AS-REP Roasting attacks user accounts with Pre-authentication disabled. So you should not disable it". However, I struggled to find someone telling me why we can disable such a very critical security configuration like this. I assumed you would disable it if you needed to make it to work with something which are not compatible with the Kerberos pre-authentication of Active Directory. And now I am very happy that the following article may support me. I am sure that like me you too have seen many organizations (if not all) where this security feature of Kerberos pre-authentication is disabled for some (read many) users in order to support some applications that do not support the security feature offered by Kerberos pre-auth. Kerberos Pre-Authentication: Why It Should Not Be Disabled https://social.technet.microsoft.com/wiki/contents/articles/23559.kerbe...
Comments
Post a Comment