STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.

DISA Rule

SV-226068r569184_rule

Vulnerability Number

V-226068

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

WN12-AC-000013-DC

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket renewal" to a maximum of 7 days or less.

Check Contents

Verify the following is configured in the Default Domain Policy.

Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy.

If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this is a finding.

Vulnerability Number

V-226068

Documentable

False

Rule Version

WN12-AC-000013-DC

Severity Override Guidance

Verify the following is configured in the Default Domain Policy.

Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy.

If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this is a finding.

Check Content Reference

M

Target Key

4217

Comments