UCF STIG Viewer Logo

The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.


Finding ID Version Rule ID IA Controls Severity
V-2379 AD.4032_2003 SV-28500r2_rule ECSC-1 Medium
This setting determines the period of time (in days) during which a users TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.
Active Directory Service 2003 Security Technical Implementation Guide (STIG) 2011-05-20


Check Text ( C-471r2_chk )
1. Analyze the system using the Security Configuration and Analysis.

2. Expand the Security Configuration and Analysis tree view.

3. Navigate to Account Policies -> Kerberos Policy.

4. If the “Maximum lifetime for user ticket renewal” is greater than ‘7’ days, then this is a finding.
Fix Text (F-5784r2_fix)
Configure the Kerberos policy option "Maximum lifetime for user ticket renewal" to a maximum of 7 days or less.