The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2379 | AD.4032_2008 | SV-28501r1_rule | ECSC-1 | Medium |
| Description |
|---|
| This setting determines the period of time (in days) during which a users ticket-granting ticket (TGT) may be renewed. |
| STIG | Date |
|---|---|
| Windows 2008 Domain Controller Security Technical Implementation Guide | 2013-07-03 |
Details
| Check Text ( C-471r1_chk ) |
|---|
| 1. Analyze the system using the Security Configuration and Analysis. 2. Expand the Security Configuration and Analysis tree view. 3. Navigate to Account Policies -> Kerberos Policy. 4. If the “Maximum lifetime for user ticket renewal” is greater than ‘7’ days, then this is a finding. |
| Fix Text (F-5784r1_fix) |
|---|
| Configure the Kerberos policy option "Maximum lifetime for user ticket renewal" to a maximum of 7 days or less. |