Check: WN16-DC-000040
Microsoft Windows Server 2016 STIG:
WN16-DC-000040
(in versions v2 r9 through v1 r1)
Title
The Kerberos user ticket lifetime must be limited to 10 hours or less. (Cat II impact)
Discussion
In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed. Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
Check Content
This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding.
Fix Text
Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket" to a maximum of "10" hours but not "0", which equates to "Ticket doesn't expire".
Additional Identifiers
Rule ID: SV-224967r958494_rule
Vulnerability ID: V-224967
Group Title: SRG-OS-000112-GPOS-00057
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001941 |
Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts. |
CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |