InformationThis security setting determines the period of time (in days) during which a user's ticket-granting ticket can be renewed.
The STIG recommended state for this setting is: 7 or fewer days.
If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire.
None - this is the default behavior.
SolutionTo establish the recommended configuration via GP, set the following UI path to 7 or fewer days:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum lifetime for user ticket renewal
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205705
Rule ID: SV-205705r569188_rule
STIG ID: WN19-DC-000050
Severity: CAT II
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: ccc1621205e6fec7044f2a317b17218d157a3deceff3a55de3fc29ba87c88050