Information
This security setting determines the period of time (in days) during which a user's ticket-granting ticket can be renewed.
The STIG recommended state for this setting is: 7 or fewer days.
Rationale:
If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to 7 or fewer days:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum lifetime for user ticket renewal
Default Value:
7 days
Additional Information:
Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021
Vul ID: V-224968
Rule ID: SV-224968r569186_rule
STIG ID: WN16-DC-000050
Severity: CAT II
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: f1fc7104f322aea34df08cb1521b64122000b6a10c772122c156735be02dc5e2