Ensure SPNs Use Strong Encryption in AD Services
Service accounts in Active Directory must use strong encryption to secure their SPNs.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Service accounts configured with an SPN use the Advanced Encryption Standard for encryption.
Source: ASD Information Security Manual (ISM)
Plain language
Service accounts in Active Directory are like special user accounts used by applications or services, not by people. Ensuring these accounts use strong encryption means that the data they handle is kept safe from prying eyes. If this isn't done, sensitive information could be intercepted and misused, leading to data breaches or loss of trust in your business.
Why it matters
If SPN service accounts allow RC4/DES, attackers can Kerberoast and crack tickets to access services and data, causing breach and reputational harm.
Operational notes
Audit SPN accounts for msDS-SupportedEncryptionTypes; require AES128/256, disable RC4/DES, and validate Kerberos ticket encryption after changes.
Implementation tips
- The IT team should review all service accounts in your Active Directory. Identify which accounts are still using old or weak encryption methods. Use system tools to list these accounts and mark them for updating.
- Managers should ensure the IT team has the time and resources to update encryption settings. This might involve scheduling downtime if necessary and working out a plan to let staff know about any disruptions.
- The IT team must upgrade encryption settings for all service accounts to use the Advanced Encryption Standard (AES). This could involve modifying account properties in the directory settings to ensure AES is selected.
- System owners should document these changes and keep records of which accounts have had their encryption updated. This can be done by noting each change in a dedicated log file or spreadsheet.
- Managers should communicate with stakeholders about the importance of strong encryption and any changes in security protocols. Use simple language to explain why these updates are essential for protecting sensitive information and maintaining business integrity.
Audit / evidence tips
-
Ask: a report listing all service accounts in Active Directory
Good: shows that all accounts are using Advanced Encryption Standard (AES)
-
Good: includes a complete list with no accounts using outdated encryption methods
-
Ask: IT policy documents related to encryption standards
Good: is a policy document that is endorsed by management and reviewed annually
-
Ask: to see the change management log for the encryption updates. Check the entries for confirmation of successful AES upgrades
Good: includes an entry for each service account with a completion date
-
Ask: evidence of staff training or communication about encryption updates
Good: includes records of staff briefings or emailed updates with positive feedback
Cross-framework mappings
How ISM-2010 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-2010 requires that Active Directory service accounts with SPNs use strong encryption (specifically AES) for Kerberos/service authenti... | |