Currently looking for a way to prevent unauthenticated user enumeration on a Domain Controller. This is a security precaution I'd like to implement, next to the existing measures taken prevent unauthorized DC access.
Kerbrute states the following about the enumeration attack:
To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.
I've noticed there are some settings in the Domain controller prevent authorised users from enumerating, but this does not seem to have effect when it comes to this attack.
