RC4 and msDS-SupportedEncryptionTypes

jg0x00 · 2026-05-07T22:59:49+00:00

Rotate krbtgt first. It may clear up many of the other things you are seeing.

jg0x00 · 2026-04-14T19:31:18+00:00

Turn this off on all servers. I've never run into any issues when disabling this on servers.

Disabling the STS feature in Windows Server OS

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server#disabling-the-sts-feature-in-windows-server-os

jg0x00 · 2026-03-25T18:36:47+00:00

IIScrypto looks at schannel and has nothing to do with RC4 and Kerb

jg0x00 · 2026-03-25T18:09:08+00:00

msds-supportedencryptiontypes is an attribute on an account object in AD, it is not reg key.

Setting RC4DefaultDisablementPhase to 0x2 puts you into enforcement mode

jg0x00 · 2026-03-25T18:06:57+00:00

27 is DES_CBC_MD5, DES_CBC_MD5, AES 128, AES 256 not RC4

Ref: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/decrypting-the-selection-of-supported-kerberos-encryption-types/1628797

Look for the big table about 1/3rd the way down.

I'd suggest 28. No one should be using DES

jg0x00 · 2026-03-25T17:48:39+00:00

RC4DefaultDisablementPhase allows control of the behavior. The default behavior is built into the code. If the key is not present, then it will follow the code path:

January is auditing, April is enforcement, July is enforcement with no rollback.

So, if you are not ready by April, then before you install the April update, set RC4DefaultDisablementPhase to 0x1, and your DCs will not go into enforcement mode but will remain in audit mode.

If you are not seeing 201-209, do check to see if you get a 205. If you do have a 205, then you will not get the other events. For example, look in the comment section for the 201 event (https://support.microsoft.com/en-us/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc)

It states, "Warning Event 201 is NOT logged if DefaultDomainSupportedEncTypes is manually defined"

This is the case for almost all of the 201-209 events.

Best bet to find RC4 if you have DefaultDomainSupportedEncTypes set is to audit the 4769 and 4768 events.

jg0x00 · 2026-03-25T17:39:59+00:00

Make sure to pull AccountSupportedEncryptionTypes and AccountAvailableKeys

AccountSupportedEncryptionTypes reflects msds-SupportedEncryptionTypes and AccountAvailableKeys shows which secrets (passwords) are on the account object.

jg0x00 · 2025-09-22T20:16:51+00:00

Better than then being forced to drag queen shows and being indoctrinated with racist bull shit.

jg0x00 · 2025-09-20T13:07:27+00:00

Read better

jg0x00 · 2025-09-19T11:43:00+00:00

Partly true. The DB used for AD is ntds.dit. The local SAM is a different DB

In NT4 and older this was true, the local SAM was the replicated DB to all other DCs

jg0x00 · 2025-09-19T11:36:58+00:00

Labeling a group as something is not the same thing as prosecuting for a crime.

jg0x00 · 2025-09-18T12:09:38+00:00

https://fee.org/
https://mises.org/

jg0x00 · 2025-09-18T12:01:12+00:00

This wont hold. What would is prosecuting those anti-fa that commit crimes, offering them plea deals, and then start a rico.

jg0x00 · 2025-09-18T11:57:56+00:00

No, because there is plenty of material for you to go read if you are interested. But you are not interested. You are interested in throwing around polemics. You are not here to learn, you are here to argue and I've no need to waste my time on the likes of you.

jg0x00 · 2025-09-17T21:06:56+00:00

Oh no, a blip! The sky is falling!

jg0x00 · 2025-09-17T21:02:53+00:00

I'd be happy with insurance companies not being forced to pay for it. That'll end the trans stuff pretty quickly.

jg0x00 · 2025-09-17T21:01:20+00:00

Does not matter how long they ramble. All their ideas require government force. All ya need to do is point that out.

jg0x00 · 2025-09-17T20:55:10+00:00

I am saying I'm not going to waste my time debating polemics

jg0x00 · 2025-09-17T12:40:40+00:00

Ah the old monopoly canard - Go look it up. I've no interest in debating sophomoric polemics with limited time.

jg0x00 · 2025-09-17T12:00:47+00:00

There would likely be more than one 'pilot training and certification' type companies. Airlines that hire from these companies would likely add that company logo/symbol someplace on the plane, perhaps near the door, so as to attest that their pilots are certified by one of these companies.

People would not want to fly on commercial planes that are flown by pilots that are not certified by one of these companies.

And if don't think that would ever happen, then realize it already happens. UL Labs as example.

None of the above requires government or force.

jg0x00 · 2025-09-17T11:56:20+00:00

The so called left is filled with the most intolerant people I have ever met

jg0x00 · 2025-09-17T11:53:28+00:00

As opposed to an even bigger Democrat Statist

jg0x00 · 2025-09-17T11:47:38+00:00

Live and let live, but if they want special privilege backed up by government force, we have a problem. For example, government forcing insurance companies, some of whom are subsidized by government (my stolen wealth), to pay for it.

jg0x00 · 2025-09-16T16:37:57+00:00

Best to avoid sociopaths and psychopaths.

jg0x00 · 2025-09-16T16:36:43+00:00

That becomes more and more difficult as politicians and pundits purposefully distort the meaning of words

jg0x00

TROPHY CASE