Accounts Using RC4 Depreciation - Server Hardening
Hi Team, We have internal security compliance, request you to please review the below and suggest for QilkView and QlikSense? Potential action requested: Server Hardening – Project 14 WIN-21 Awareness: RC4 Depreciation & AES 128 & 256 Support This notice is to advise of upcoming changes relating to the use of RC4 within Kerberos authentication and the potential steps that will need to be taken by application owners. Please review the information below that includes a summary of this phase, list of key considerations, and next steps.
Background Project 14 Server Hardening (Ransomware) has been implemented to proactively mitigate ransomware risk on the global server estate. To strengthen Deloitte systems, ensure compliance to Global Cybersecurity Standards (Encryption Management SS.19), and protect against Ransomware attacks—specifically, an attack known commonly as “Kerberoasting”—changes to the Global managed Domain Controllers and Active Directory will be implemented to disable support for RC4 encryption in Kerberos Authentication.
Preparation and plan While it is expected that standard Kerberos authentication attempts by Windows operating systems will continue unhindered, disabling the use of RC4 may impact applications and require some investigation and remediation. Research and testing show that Java, Python, and .NET applications may be impacted. All member firms should investigate the current configurations of their applications, wherever Kerberos is used for authentication. We are requesting that these applications are modified so that they support AES 128 & 256 and “all future encryption methods.”
Reports based on Active Directory log data to identify where RC4 is being used will be made available to member firms and app teams for review on the Server Hardening Teams site. A series of changes will be made to set preferences for encryption to be used, enable logging, and then deny the use of RC4.
Application changes We expect there to be changes required to applications to support AES; some applications may face issues if they have a reliance on RC4 Kerberos for authentication. Configuration management documentation of .Net, Python, and Java will detail encryption and Kerberos information; however, app teams should review all relevant documentation and information sources.
Next steps Starting the week of 5 September, the project team will reach out to relevant application teams that continue to use RC4 to commence remediation activities and ensure that applications utilize AES 128 & 256 instead.