AD user account with DES encryption type enabled
Cayosoft Threat Definition CTD-000054
Tune into Guardians of the Directory Podcast.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
DES uses a 56-bit key and is now considered highly insecure; any account allowed to use DES for Kerberos authentication is at elevated risk of credential theft and compromise.
- Severity: Medium
- Platform: Active Directory
- Category: Account Protection, Kerberos
- MITRE ATT&CK Tactics: Credential Access
- MITRE D3FEND Tactics: Domain Account Monitoring
Description
DES encryption uses a 56-bit key and is considered highly insecure. Accounts permitted to use DES for Kerberos authentication are at significantly greater risk of having authentication sequences decrypted and the account compromised.
Real-World Scenario
An attacker gains a foothold on a legacy server and sniffs Kerberos traffic. Because a service account is configured to “Use only Kerberos DES encryption types,” the attacker can brute-force the weak DES-encrypted pre-authentication material and recover the account’s password. With those credentials, the attacker pivots to servers where the service account runs batch jobs, harvesting additional tokens and secrets while avoiding obvious sign-ins. Business impact includes data exfiltration and operational disruption tied to the compromised service. Cayosoft Guardian would flag the risky account configuration (CTD-000054) so the security team could remediate before exploitation.
Stop Privilege Escalation—Then Undo It with Cayosoft Guardian
Real-time alerts across AD & Entra ID with one-click rollback.
How to Detect (Cayosoft Guardian)
1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.
2.) Open All Alerts and search for CTD-000054 or AD user account with DES encryption type enabled.
3.) Open any alert and Click for details (from Raise Threat Alert action).
Remediation Steps
To enable pre-authentication for a user account:
- ) Click Start.
- ) Point to Control Panel.
- ) Point to Administrative Tools.
- ) Click Active Directory Users and Computers.
- ) Find the user with pre-authentication disabled.
- ) In the account options, clear the checkbox Use only Kerberos DES encryption types for this account.
- ) Press OK.
How to Prevent It
- Use Cayosoft Guardian to continuously detect AD user accounts with DES encryption enabled across domains.
- Standardize account templates that do not select DES-only encryption.
- Decommission or isolate legacy systems that require DES; upgrade to AES-capable components.
- Periodically audit userAccountControl and msDS-SupportedEncryptionTypes for risky values.
- Apply least-privilege and rotate service account passwords regularly.
FAQ
DES uses a 56-bit key, which can now be brute-forced with modern computing power. This makes it possible for attackers to decrypt Kerberos authentication material and recover an account’s password if it relies on DES encryption.
Applications hard-coded to use DES may fail once the option is turned off. Changes should first be tested in an isolated environment, and upgrades to AES-capable components should be planned.
Service accounts often exist for years and hold broad privileges in the environment. If they’re configured for DES-only encryption, they provide attackers with a stable and convenient foothold for compromising the network.
Remove DES from account templates, isolate or upgrade legacy systems, regularly audit the userAccountControl and msDS-SupportedEncryptionTypes fields, and apply password rotation policies for service accounts.
Final Thought
Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like AD user account with DES encryption type enabled, you reduce attack surfaces and strengthen your organization’s overall security posture.