Skip to main content

Suggest an Idea

Vote for your favorite Qlik product ideas and add your own suggestions.

Announcements
QlikWorld 2023, a live, in-person thrill ride. Save $300 before February 6: REGISTER NOW!

Accounts Using RC4 Depreciation - Server Hardening

Alan_Slaughter
Support
Support

Accounts Using RC4 Depreciation - Server Hardening

Hi Team,
We have internal security compliance, request you to please review the below and suggest for QilkView and QlikSense?
Potential action requested: Server Hardening – Project 14
WIN-21 Awareness: RC4 Depreciation & AES 128 & 256 Support
This notice is to advise of upcoming changes relating to the use of RC4 within Kerberos authentication and the potential steps that will need to be taken by application owners.
Please review the information below that includes a summary of this phase, list of key considerations, and next steps.

Background
Project 14 Server Hardening (Ransomware) has been implemented to proactively mitigate ransomware risk on the global server estate.
To strengthen Deloitte systems, ensure compliance to Global Cybersecurity Standards (Encryption Management SS.19), and protect against Ransomware attacks—specifically, an attack known commonly as “Kerberoasting”—changes to the Global managed Domain Controllers and Active Directory will be implemented to disable support for RC4 encryption in Kerberos Authentication.

Preparation and plan
While it is expected that standard Kerberos authentication attempts by Windows operating systems will continue unhindered, disabling the use of RC4 may impact applications and require some investigation and remediation. Research and testing show that Java, Python, and .NET applications may be impacted.
All member firms should investigate the current configurations of their applications, wherever Kerberos is used for authentication. We are requesting that these applications are modified so that they support AES 128 & 256 and “all future encryption methods.”

Reports based on Active Directory log data to identify where RC4 is being used will be made available to member firms and app teams for review on the Server Hardening Teams site.
A series of changes will be made to set preferences for encryption to be used, enable logging, and then deny the use of RC4.

Application changes
We expect there to be changes required to applications to support AES; some applications may face issues if they have a reliance on RC4 Kerberos for authentication.
Configuration management documentation of .Net, Python, and Java will detail encryption and Kerberos information; however, app teams should review all relevant documentation and information sources.

Next steps
Starting the week of 5 September, the project team will reach out to relevant application teams that continue to use RC4 to commence remediation activities and ensure that applications utilize AES 128 & 256 instead.