Ensure SPNs Use Strong Encryption in AD Services
Service accounts in Active Directory must use strong encryption to secure their SPNs.
Plain language
Service accounts in Active Directory are like special user accounts used by applications or services, not by people. Ensuring these accounts use strong encryption means that the data they handle is kept safe from prying eyes. If this isn't done, sensitive information could be intercepted and misused, leading to data breaches or loss of trust in your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Service accounts configured with an SPN use the Advanced Encryption Standard for encryption.
Why it matters
If SPN service accounts allow RC4/DES, attackers can Kerberoast and crack tickets to access services and data, causing breach and reputational harm.
Operational notes
Audit SPN accounts for msDS-SupportedEncryptionTypes; require AES128/256, disable RC4/DES, and validate Kerberos ticket encryption after changes.
Implementation tips
- The IT team should review all service accounts in your Active Directory. Identify which accounts are still using old or weak encryption methods. Use system tools to list these accounts and mark them for updating.
- Managers should ensure the IT team has the time and resources to update encryption settings. This might involve scheduling downtime if necessary and working out a plan to let staff know about any disruptions.
- The IT team must upgrade encryption settings for all service accounts to use the Advanced Encryption Standard (AES). This could involve modifying account properties in the directory settings to ensure AES is selected.
- System owners should document these changes and keep records of which accounts have had their encryption updated. This can be done by noting each change in a dedicated log file or spreadsheet.
- Managers should communicate with stakeholders about the importance of strong encryption and any changes in security protocols. Use simple language to explain why these updates are essential for protecting sensitive information and maintaining business integrity.
Audit / evidence tips
- AskA report listing all service accounts in Active Directory GoodShows that all accounts are using Advanced Encryption Standard (AES)
- GoodIncludes a complete list with no accounts using outdated encryption methods
- AskIT policy documents related to encryption standards GoodIs a policy document that is endorsed by management and reviewed annually
- AskTo see the change management log for the encryption updates. Check the entries for confirmation of successful AES upgrades GoodIncludes an entry for each service account with a completion date
- AskEvidence of staff training or communication about encryption updates GoodIncludes records of staff briefings or emailed updates with positive feedback
Cross-framework mappings
How ISM-2010 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-2010 requires that Active Directory service accounts with SPNs use strong encryption (specifically AES) for Kerberos/service authenti... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.