Skip to content

Disable RC4 encryption#

Security · Entra Domain Services · Rule · 2024_06 · Critical

Disable RC4 encryption for Microsoft Entra Domain Services.

Description#

By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as RC4. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.

Recommendation#

Consider disabling RC4 encryption which is considered weak and can be disabled if not required.

Examples#

Configure with Azure template#

To deploy domains that pass this rule:

  • Set the properties.domainSecuritySettings.kerberosRc4Encryption property to Disabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "ldapsSettings": {
      "ldaps": "Enabled"
    },
    "domainSecuritySettings": {
      "ntlmV1": "Disabled",
      "tlsV1": "Disabled",
      "kerberosRc4Encryption": "Disabled"
    }
  }
}

Configure with Bicep#

To deploy domains that pass this rule:

  • Set the properties.domainSecuritySettings.kerberosRc4Encryption property to Disabled.

For example:

Azure Bicep snippet
resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
  name: name
  location: location
  properties: {
    ldapsSettings: {
      ldaps: 'Enabled'
    }
    domainSecuritySettings: {
      ntlmV1: 'Disabled'
      tlsV1: 'Disabled'
      kerberosRc4Encryption: 'Disabled'
    }
  }
}

Comments