Entra Domain Services allows insecure version of RC4
May 20, 2025 ยท View on GitHub
SYNOPSIS
Disable RC4 encryption for Microsoft Entra Domain Services.
DESCRIPTION
By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as RC4. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.
RECOMMENDATION
Consider disabling RC4 encryption which is considered weak and can be disabled if not required.
EXAMPLES
Configure with Bicep
To deploy domains that pass this rule:
- Set the
properties.domainSecuritySettings.kerberosRc4Encryptionproperty toDisabled.
For example:
resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
name: name
location: location
properties: {
sku: 'Enterprise'
ldapsSettings: {
ldaps: 'Enabled'
}
domainSecuritySettings: {
ntlmV1: 'Disabled'
tlsV1: 'Disabled'
kerberosRc4Encryption: 'Disabled'
}
replicaSets: [
{
subnetId: primarySubnetId
location: location
}
{
subnetId: secondarySubnetId
location: secondaryLocation
}
]
}
}
Configure with Azure template
To deploy domains that pass this rule:
- Set the
properties.domainSecuritySettings.kerberosRc4Encryptionproperty toDisabled.
For example:
{
"type": "Microsoft.AAD/domainServices",
"apiVersion": "2022-12-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": "Enterprise",
"ldapsSettings": {
"ldaps": "Enabled"
},
"domainSecuritySettings": {
"ntlmV1": "Disabled",
"tlsV1": "Disabled",
"kerberosRc4Encryption": "Disabled"
},
"replicaSets": [
{
"subnetId": "[parameters('primarySubnetId')]",
"location": "[parameters('location')]"
},
{
"subnetId": "[parameters('secondarySubnetId')]",
"location": "[parameters('secondaryLocation')]"
}
]
}
}