b3bcdbc8-dfe2-4660-92f6-390d677ffb38
In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed.
Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
To fix this configure the policy value for
Computer Configuration
|_ Policies
|_ Windows Settings
|_ Security Settings
|_ Account Policies
|_ Kerberos Policy
|_ Maximum lifetime for user ticket to a maximum of "10" hours but not "0", which equates to "Ticket doesn't expire".
STIG: Server
2025: https://system32.eventsentry.com/stig/viewer/V-224967
2022: https://system32.eventsentry.com/stig/viewer/V-254388
2019: https://system32.eventsentry.com/stig/viewer/V-205704
2016: https://system32.eventsentry.com/stig/viewer/V-224967
NIST 800-53 : AC-12, IA-2, CM-6
NIST 800-171: 3.1.2, 3.4.6
CMMC v2.0 L2: AC.L2-3.1.2, CM.L2-3.4.6
PCI-DSS v4.0: 2.2.1, 8.2.1
HIPAA SR : ยง164.312(a)(1)
HIPAA HICP : Practice 3 (Identity and Access Management)
Manage your cookie preferences below:
To learn more about our use of cookies, please see our
Privacy Policy.