WN12-AC-000010-DC - Kerberos user logon restrictions must be enforced.

Information

This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default which is the most secure setting for validating access to target resources is not circumvented.

Solution

Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> 'Enforce user logon restrictions' to 'Enabled'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_DC_V3R4_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-226065r794383_rule, STIG-ID|WN12-AC-000010-DC, STIG-Legacy|SV-51160, STIG-Legacy|V-2376, Vuln-ID|V-226065

Plugin: Windows

Control ID: 85df1c28f089d910c4d32c8604180ad2d7783f77bcdc37a8869a7a9c8e464de6