Microsoft Is Finally Killing RC4

28 points by raymii

jcspencer

Speaking of gifts that keep on giving, here’s to hoping that we get NTLMv1/2 phased out before the end of the decade!

So many of ADs security weaknesses stem from interoperability with NT 4.x at the time of AD’s introduction… I have always felt that an AD install should ask “what’s the oldest system you have to maintain compatibility with?” and cut off the backwards compatibility there.

My wish is that admins could just have a single, simple “turn off the bad” switch with a brownout period to harden things, rather than hunt down hundreds of individual policy settings :(

m_a_r_k

microsoft makes so much money selling security solutions and consulting to make their products secure, and which default knobs to turn off. a cynical person would say it's insecure by default on purpose to sell E5 licenses
- jcspencer
  
  100% agree - AD is still very much a “Windows Server” product from MS’s perspective, so it really doesn’t get the love it deserves.
  
  I think this, in addition to the lack of a good way to share non-trivial policy configurations (e.g. everyone resorts to GPO backups or massive PowerShell scripts) makes it hard to actually share best practices; for example, the “tiering” model is mostly shared by MS as a theoretical model because its implementation is quite org specific.
  
  A side project I’ve chipped away for a while is a programmatic interface to GPO, etc. to ideally help build repeatable ways to deploy “templates” via IaC to AD; in $OLDJOB we struggled to figure out the best way to distribute our AD security model in a way other organizations could implement it.
  
  So much of modern AD security is the culmination of hundreds of individual policies; after managing a large (250k+ user) AD environment, I really feel admins have been dealt a terrible hand when it comes to securing it :(
0x2ba22e11

Yeah that's definitely the ideal way to design the off switch for the insecure features.