Microsoft’s security roadmap continues to evolve, and one of the latest changes targets an aging encryption method. In an announcement dated February 28, 2025, Microsoft outlined plans to remove the Data Encryption Standard (DES) from Kerberos in Windows Server 2025 and Windows 11, version 24H2. This planned phase-out is part of broader efforts to enhance security in today’s increasingly hostile cyber landscape. In this article, we delve into what this means for administrators, the underlying technical rationale, and practical steps for ensuring a smooth transition.
For IT administrators, the message is clear: detect, assess, and disable legacy encryption methods now to avoid any potential disruption when the updated Windows security patch takes effect. By following the recommended steps, from Active Directory audit modifications to Group Policy adjustments, you can ensure that your network stays robust against modern security threats.
This transition, much like other simultaneous updates in the Windows ecosystem—ranging from performance improvements to broader strategic shifts like the retirement of legacy communication tools—demonstrates Microsoft’s commitment to a secure, future-ready environment.
Stay safe, plan your transition carefully, and join the conversation on WindowsForum.com to learn from peers and share best practices in securing your Windows environment.
Summary:
Microsoft is removing DES encryption from Kerberos in upcoming Windows Server 2025 and Windows 11 version 24H2 updates to bolster cybersecurity. IT administrators are urged to audit for DES usage, adjust Directory and Group Policy settings, test changes in controlled environments, and prepare for a smooth rollout to maintain secure network authentication. Embracing stronger ciphers like AES now will protect your organization against evolving security threats.
Source: Microsoft Announcements https://techcommunity.microsoft.com/blog/WindowsServerNewsandBestPractices/removal-of-des-in-kerberos-for-windows-server-and-client/4386903
Why Is DES Being Phased Out?
The Historical Context of DES
- Origins and Early Adoption:
Developed in 1977, DES was the first standardized encryption algorithm for business use in the United States. It was later integrated into Kerberos with its inclusion in RFC1510 (1993) and then supported, albeit optionally, in early Windows Kerberos implementations starting with Windows 2000. - The Rise of Vulnerabilities:
With a 56-bit key size, DES was once sufficient for its time. However, increased computational power and more advanced cryptographic attack methods now expose DES to brute force and known-plaintext attacks. Officially deprecated in the Kerberos standard by RFC6649 in 2012, this legacy algorithm is no longer considered secure in a modern IT environment. - A Matter of Compatibility:
Though DES has been disabled by default since Windows 7 and Windows Server 2008 R2, many network environments might still rely on it through legacy applications or non-Microsoft systems. Notably, Windows itself has never used DES for direct Windows-to-Windows authentication – its primary usage has been observed in certain older Java implementations.
The Shift to Stronger Encryption
- Embracing AES:
As part of Microsoft’s Secure Future Initiative (SFI), the focus is shifting toward robust encryption methods. Advanced Encryption Standard (AES), offering significantly stronger security, is now the recommended cipher across Windows systems, ensuring compliance with modern encryption standards and frameworks like the Federal Information Processing Standards (FIPS).
Understanding the Phased Transition
Microsoft has adopted a careful, phased approach in the transition away from DES in Kerberos:1. Compatibility Mode
- Current State:
On all client and server versions of Windows released from Windows 7 and Windows Server 2008 R2 onward, DES in Kerberos is disabled by default. For environments that, for any reason, require its use, administrators have had the option to re-enable DES manually. - The Exception:
However, note that for Windows 11, version 24H2 and Windows Server 2025 devices updated with the Windows Updates released on or after September 9, 2025, this manual enabling will no longer be supported. These systems will strictly enforce the removal of DES, mandating immediate compliance with stronger cipher suites.
2. Disabled Mode
- Total Removal:
Beyond the transitional phase, DES will be completely removed from the functionality of Kerberos in the affected Windows versions. Any legacy scenarios relying on DES will cease to work until IT administrators update their application and network security configurations to support alternative, secure ciphers like AES. - Implications for Administrators:
Organizations using earlier versions of Windows still supporting DES must proactively detect and disable its use. Failure to prepare for this change can lead to disruptions when the update takes effect later this year.
Detecting DES Usage in Your Network
Before disabling DES, IT administrators must first identify if DES is being utilized anywhere in their network. Microsoft recommends a systematic approach:Event Log Analysis
- Key Event IDs:
Monitor the security event log on your domain controllers (DCs) for Kerberos Key Distribution Center Service (KDCSVC) events. Specifically, look for: - Event ID 4768: Recorded each time a Kerberos Ticket Granting Ticket (TGT) is issued.
- Event ID 4769: Logged whenever a Kerberos service ticket is requested.
- Tools and Scripts:
Microsoft provides PowerShell scripts (available on GitHub) that can scan across multiple DCs for these events. Ensure remote event logging is enabled across your environment to allow for a comprehensive data aggregation.
Best Practices for Detection
- Time Frame Filtering:
If your event logs are extensive, narrowing down the time frame for your search can help isolate relevant events. - Cross-Referencing Accounts and Applications:
Run an inventory of accounts and applications tagging DES-enabled encryption. This will help determine if the usage is due to non-Windows systems or outdated third-party applications.
Steps to Disable DES in Kerberos
Once you’ve mapped out where DES is in play, it’s time to disable it carefully. Follow these detailed steps:1. Active Directory User Settings
- Verify Account Settings:
Open the Active Directory Users and Computers console. Navigate to an account’s policy settings and check that the “Use only Kerberos DES encryption types for this account” option is unchecked. This corresponds to the USE_DES_KEY_ONLY (0x200000) flag in the UserAccountControl field. - Account Password Update:
For accounts created on older domain controllers (such as those running Windows Server 2003), consider updating the password. This ensures the account is capable of supporting AES encryption.
2. Group Policy Adjustments
- Configuring Kerberos Encryption:
Access the Group Policy setting located at:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options. - Update Encryption Policies:
Within the “Network security: Configure encryption types allowed for Kerberos” setting, ensure that the checkboxes for DES_CBC_MD5 and DES_CBC_CRC are unchecked. Instead, enable the boxes for AES128_HMAC_SHA1, AES256_HMAC_SHA1, and any future encryption types recommended for enhanced security.
3. Testing and Rollback Plan
- Test in Controlled Environments:
Before rolling out the configuration updates across your entire network, apply them in a test environment. Monitor for any disruptions in Kerberos authentication processes. - Prepare a Rollback Plan:
Given the critical nature of network authentication, plan for a rollback to a pre-updated state should issues arise during the transition period. - Monitor Continuously:
After deployment, maintain regular monitoring of your event logs to ensure that no DES-related events surface.
Practical Recommendations for IT Administrators
Transitioning away from DES isn’t just a technical update—it’s a critical enhancement to safeguard your organization against evolving cyber threats. Here are some actionable recommendations:- Audit Your Environment:
Conduct an organization-wide audit to identify any legacy systems or third-party applications that might still be relying on DES encryption. - Apply Windows Updates:
Ensure that all devices, especially those running Windows Server 2025 and Windows 11 24H2, have the latest Windows Updates. This is a prerequisite for the new security enhancements to function properly. - Reach Out for Vendor Guidance:
For non-Windows devices or specialty appliances, consult with the vendor regarding updated Kerberos client configurations or available workarounds. - Stay Informed:
As with many security updates, knowledge is power. Follow community boards and discussions on WindowsForum.com for insights and shared experiences from other IT professionals. Similar threads like discussions on Windows 11 performance updates and transition guidelines for retiring legacy features can provide additional context and tips.
Broader Implications for Windows Security
The move to eliminate DES encryption in Kerberos reflects a broader industry trend: the continuous updating of legacy security measures in favor of more resilient, modern standards. With cyber threats evolving at an unprecedented rate, relying on outdated encryption methodologies can expose organizations to significant vulnerabilities.Why This Matters
- Enhanced Cybersecurity:
Removing weak encryption methods like DES reduces the potential attack vectors in your network. Relying on AES and other robust algorithms contributes to a significant security posture improvement. - Compliance and Best Practices:
Modern regulatory frameworks and industry standards now mandate stronger encryption protocols. Embracing these changes ensures that your organization remains compliant with Federal Information Processing Standards (FIPS) and similar regulations. - Future-Proofing Your Infrastructure:
With the update slated to be enforced in updates released after September 9, 2025, organizations have a clear timeline to modernize their authentication methods. This forward-looking approach not only enhances security but also streamlines future IT operations.
Final Thoughts
Microsoft’s decision to phase out DES in Kerberos is a timely reminder that digital security is not a static field. As encryption technologies and cyber threats continue to evolve, regular audits and updates become essential. The structured deprecation of DES in favor of AES provides organizations with a clear path toward sustainability and enhanced security.For IT administrators, the message is clear: detect, assess, and disable legacy encryption methods now to avoid any potential disruption when the updated Windows security patch takes effect. By following the recommended steps, from Active Directory audit modifications to Group Policy adjustments, you can ensure that your network stays robust against modern security threats.
This transition, much like other simultaneous updates in the Windows ecosystem—ranging from performance improvements to broader strategic shifts like the retirement of legacy communication tools—demonstrates Microsoft’s commitment to a secure, future-ready environment.
Stay safe, plan your transition carefully, and join the conversation on WindowsForum.com to learn from peers and share best practices in securing your Windows environment.
Summary:
Microsoft is removing DES encryption from Kerberos in upcoming Windows Server 2025 and Windows 11 version 24H2 updates to bolster cybersecurity. IT administrators are urged to audit for DES usage, adjust Directory and Group Policy settings, test changes in controlled environments, and prepare for a smooth rollout to maintain secure network authentication. Embracing stronger ciphers like AES now will protect your organization against evolving security threats.
Source: Microsoft Announcements https://techcommunity.microsoft.com/blog/WindowsServerNewsandBestPractices/removal-of-des-in-kerberos-for-windows-server-and-client/4386903
