Active Directory Domain STIG Version Comparison

There are 5 differences between versions v3 r3 (May 11, 2023) (the "left" version) and v3 r5 (Sept. 13, 2024) (the "right" version).

Check AD.0205 was added to the benchmark in the "right" version.

This check's original form is available here.

Title

Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS).

Check Content

This applies to domain controllers only. It is not applicable for other systems. Verify the following is configured on the domain controller. Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon. If "Audit Kerberos Authentication Service" and "Audit Kerberos Ticket Operations" are not set to "Success and Failure", this is a finding.

Discussion

Although Kerberos logging can be used for troubleshooting, it can also provide security information for successful and failed login attempts. If a malicious actor uses a forged or unauthorized certificate to complete Kerberos PKINIT authentication, the Kerberos Authentication Service success audit in event 4768 can be used to detect the specific fraudulent certificate that was used to authenticate to then revoke the certificate. Kerberos Service Ticket operation events can be used in an investigation to discover which services were accessed by a malicious actor or to detect if an SCHANNEL-based authentication was abused by a malicious actor.

Fix

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon. Configure "Audit Kerberos Authentication Service" and the "Audit Kerberos Service Ticket Operations" to be set to "Success and Failure".