PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Domain Controller: Kerberos service ticket maximum lifetime must be limited to 600 minutes or less

62124d83-b9c6-4b9b-a580-eafd2c103cef

This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.

Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Policies
|_ Windows Settings
|_ Security Settings
|_ Account Policies
|_ Kerberos Policy
|_ Maximum lifetime for service ticket to a maximum of "600" minutes, but not "0", which equates to "Ticket doesn't expire".

STIG: Server
2022: https://system32.eventsentry.com/stig/viewer/V-254387
2019: https://system32.eventsentry.com/stig/viewer/V-205703
2016: https://system32.eventsentry.com/stig/viewer/V-224967

NIST 800-53 : AC-12, IA-2, CM-6
NIST 800-171: 3.1.2, 3.4.6
CMMC v2.0 L2: AC.L2-3.1.2, CM.L2-3.4.6
PCI-DSS v4.0: 2.2.1, 8.2.1
HIPAA SR : ยง164.312(a)(1)
HIPAA HICP : Practice 3 (Identity and Access Management)



Tags

stig-medium-server nist800-171-server nist800-53-server pci-dss-v4-server hipaa-server cmmc2-l2-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.