AD Starter Scan - Kerberos Krbtgt

medium Nessus Plugin ID 150484

Language:

Synopsis

KDC last password change is too old.

Description

Every Active Directory domain includes a special account called KRBTGT. This account holds the Kerberos master key, protecting all other secrets in the domain. Hence, it must be protected at all costs and renewed regularly. This plugin checks if the master key is set to be renewed at least once every two years.

Note: The AD Starter Scan and associated plugins are intended to be used with smaller AD deployments for purposes of preliminary analysis. Accurate preliminary analysis can be expected for AD deployments with up to 5000 users, groups or machines and incomplete results will be returned for larger AD deployments with Nessus, Security Center and Vulnerability Management. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

The KRBTGT password must be changed by following a precise sequence of operations. If it is not done properly, some domain controllers may lose the ability to authenticate against other domain controllers. Microsoft provides an official procedure and helper script.

Plugin Details

Severity: Medium

ID: 150484

File Name: adsi_kerberos_krbtgt.nbin

Version: 1.128

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 7/14/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: ldap_enum_person/available

Detections

Analytics