UCF STIG Viewer Logo

The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2379 AD.4032_2003 SV-28500r2_rule ECSC-1 Medium
Description
This setting determines the period of time (in days) during which a users TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.
STIG Date
Active Directory Service 2003 Security Technical Implementation Guide (STIG) 2011-05-20

Details

Check Text ( C-471r2_chk )
1. Analyze the system using the Security Configuration and Analysis.

2. Expand the Security Configuration and Analysis tree view.

3. Navigate to Account Policies -> Kerberos Policy.

4. If the “Maximum lifetime for user ticket renewal” is greater than ‘7’ days, then this is a finding.
Fix Text (F-5784r2_fix)
Configure the Kerberos policy option "Maximum lifetime for user ticket renewal" to a maximum of 7 days or less.