1.3.4 Ensure 'Maximum lifetime for user ticket renewal' is set to '7 or fewer days' (STIG DC only)


This security setting determines the period of time (in days) during which a user's ticket-granting ticket can be renewed.

The STIG recommended state for this setting is: 7 or fewer days.


If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire.


None - this is the default behavior.


To establish the recommended configuration via GP, set the following UI path to 7 or fewer days:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum lifetime for user ticket renewal

Default Value:

7 days

Additional Information:

Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020

Vul ID: V-205705
Rule ID: SV-205705r569188_rule
STIG ID: WN19-DC-000050
Severity: CAT II

See Also