Disable RC4 encryption#
Security · Entra Domain Services · Rule · 2024_06 · Critical
Disable RC4 encryption for Microsoft Entra Domain Services.
Description#
By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as RC4. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.
Recommendation#
Consider disabling RC4 encryption which is considered weak and can be disabled if not required.
Examples#
Configure with Azure template#
To deploy domains that pass this rule:
- Set the
properties.domainSecuritySettings.kerberosRc4Encryption
property toDisabled
.
For example:
Azure Template snippet
{
"type": "Microsoft.AAD/domainServices",
"apiVersion": "2022-12-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"ldapsSettings": {
"ldaps": "Enabled"
},
"domainSecuritySettings": {
"ntlmV1": "Disabled",
"tlsV1": "Disabled",
"kerberosRc4Encryption": "Disabled"
}
}
}
Configure with Bicep#
To deploy domains that pass this rule:
- Set the
properties.domainSecuritySettings.kerberosRc4Encryption
property toDisabled
.
For example:
Azure Bicep snippet
resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
name: name
location: location
properties: {
ldapsSettings: {
ldaps: 'Enabled'
}
domainSecuritySettings: {
ntlmV1: 'Disabled'
tlsV1: 'Disabled'
kerberosRc4Encryption: 'Disabled'
}
}
}