UCF STIG Viewer Logo

The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.


Overview

Finding ID Version Rule ID IA Controls Severity
V-226068 WN12-AC-000013-DC SV-226068r794388_rule Medium
Description
This setting determines the period of time (in days) during which a user's TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.
STIG Date
Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide 2022-03-01

Details

Check Text ( C-27770r475527_chk )
Verify the following is configured in the Default Domain Policy.

Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy.

If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this is a finding.
Fix Text (F-27758r475528_fix)
Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket renewal" to a maximum of 7 days or less.