Title

Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS). (Cat II impact)

Discussion

Although Kerberos logging can be used for troubleshooting, it can also provide security information for successful and failed login attempts. If a malicious actor uses a forged or unauthorized certificate to complete Kerberos PKINIT authentication, the Kerberos Authentication Service success audit in event 4768 can be used to detect the specific fraudulent certificate that was used to authenticate to then revoke the certificate. Kerberos Service Ticket operation events can be used in an investigation to discover which services were accessed by a malicious actor or to detect if an SCHANNEL-based authentication was abused by a malicious actor.

Check Content

This applies to domain controllers only. It is not applicable for other systems. Verify the following is configured on the domain controller. Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon. If "Audit Kerberos Authentication Service" and "Audit Kerberos Ticket Operations" are not set to "Success and Failure", this is a finding.

Fix Text

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon. Configure "Audit Kerberos Authentication Service" and the "Audit Kerberos Service Ticket Operations" to be set to "Success and Failure".

Additional Identifiers

Rule ID: SV-269097r1026170_rule

Vulnerability ID: V-269097

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.