Tentative Cybersecurity Blog

AS-REP Roasting is a famous technique to attack the Active Directory. You can get a lot of information saying something like "AS-REP Roasting attacks user accounts with Pre-authentication disabled. So you should not disable it". However, I struggled to find someone telling me why we can disable such a very critical security configuration like this. I assumed you would disable it if you needed to make it to work with something which are not compatible with the Kerberos pre-authentication of Active Directory. And now I am very happy that the following article may support me. I am sure that like me you too have seen many organizations (if not all) where this security feature of Kerberos pre-authentication is disabled for some (read many) users in order to support some applications that do not support the security feature offered by Kerberos pre-auth. Kerberos Pre-Authentication: Why It Should Not Be Disabled https://social.technet.microsoft.com/wiki/contents/articles/23559.kerbe...

 AS-REP Roastingは有名なActive Directoryの攻撃手法です。 解説も沢山あって「Kerberos事前認証が無効になっているユーザーIDを攻撃しますよ、だから事前認証を無効にするのは危険ですよ」というのは皆さん異口同音なのですが、「そんな危険なら、なぜKerberos事前認証をそもそも無効にするオプションがあるのか?」という解説は中々見つけることができませんでした。 恐らくKerberos事前認証に対応していない製品と認証するための設定ではと思っていましたが、以下の記事をみてやはりそうだよね、とすっきりしました。 I am sure that like me you too have seen many organizations (if not all) where this security feature of Kerberos pre-authentication is disabled for some (read many) users in order to support some applications that do not support the security feature offered by Kerberos pre-auth. (多くの組織でKerberos事前認証が、このセキュリティ機能に対応していないアプリケーションを利用するために、無効化されている） Kerberos Pre-Authentication: Why It Should Not Be Disabled https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx