PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Domain Controller: Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less

dd26607b-dc40-4958-9506-1bda6ee1de47

This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.

Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Policies
|_ Windows Settings
|_ Security Settings
|_ Account Policies
|_ Kerberos Policy
|_ Maximum lifetime for user ticket renewal to a maximum of "7" days or less.

STIG: Server
2025: https://system32.eventsentry.com/stig/viewer/V-278136
2022: https://system32.eventsentry.com/stig/viewer/V-254389
2019: https://system32.eventsentry.com/stig/viewer/V-205705
2016: https://system32.eventsentry.com/stig/viewer/V-224968

NIST 800-53 : AC-12, IA-2, CM-6
NIST 800-171: 3.1.2, 3.4.6
CMMC v2.0 L2: AC.L2-3.1.2, CM.L2-3.4.6
PCI-DSS v4.0: 2.2.1, 8.2.1
HIPAA SR : ยง164.312(a)(1)
HIPAA HICP : Practice 3 (Identity and Access Management)



Tags

stig-medium-server nist800-171-server nist800-53-server pci-dss-v4-server hipaa-server cmmc2-l2-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.