Skip to content

False positive for Rule ID S-AesNotEnabled #358

Description

@PhiZ-9

What happened?

While using the latest version 3.5.1.33, the Rule "S-AesNotEnabled" causes false positives for newly created computer objects. Our use-case are pre-created objects for offline domain join (ODJ) for Autopilot installed devices via Intune. These will have a fresh creation and pwd last set date, but they have SPNs for normal computer objects (like "HOST" or "RestrictedKrbHost") and an empty msDS-SupportedEncryptionTypes. The attribute get filled once these devices process their GPOs for the first time and update their attributes. In the meantime, PingCastle will show the following entry under "Objects where AES usage with kerberos may be cause issues".

Example:

Name Creation Last logon Pwd Last Set Distinguished name
<AutoPilotComputerName>$ 2026-06-15 07:42:28Z Never 2026-06-15 08:42:28Z CN=<AutoPilotComputerName>$,OU=Computers,OU=<Location>,DC=contoso,DC=com

Proposed Fix

In:

private void ProcessNotAesEnabled(ADItem x, IAddAccountData data, DateTime dcWin2008Install)

If the attribute msDS-SupportedEncryptionTypes is 0 or not set, the method ProcessNotAesEnabled could check for the DefaultDomainSupportedEncryptionTypes. As long as they are set securely for AES only (0x18 for AES or 0x38 to also enforce AES-Sk), the rule should not trigger. This has the benefit to not only apply to computer objects, but other object types as well.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions