20.31 Ensure 'krbtgt account password' is no more than '180 days old' (STIG DC only)

Information

This policy setting ensures that the krbtgt account which acts as a service account for the Kerberos Key Distribution Center (KDC) service is no more than 180 days old. This account is created when a domain is created.

The STIG recommended state for this setting is: No more than 180 days old

Rationale:

If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT).

Impact:

The krbtgt account password will need to be changed manually every 180 days.

Solution

Reset the krbtgt account password via PowerShell. PowerShell scripts to reset the password can be found at the following Microsoft webpage: Browse code samples | Microsoft Docs

Note: The password must be changed twice to effectively remove the password history. Changing the password once and waiting for replication to complete and then changing again reduces the risk of issues. Changing the password twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.

Default Value:

N/A

Additional Information:

Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020

Vul ID: V-205877
Rule ID: SV-205877r569188_rule
STIG ID: WN19-DC-000430
Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3345