Information
This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.
The STIG recommended state for this setting is: Enabled.
Rationale:
If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Enforce user logon restrictions
Default Value:
Enabled.
Additional Information:
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205702
Rule ID: SV-205702r569188_rule
STIG ID: WN19-DC-000020
Severity: CAT II
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: 5940298bbe35d4647f0a01b35575a53c2079ad09d1a31c5de574e20c36ed43ea