Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.

An XCCDF Rule

Description

<VulnDiscussion>This setting determines the period of time (in days) during which a user's TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access. Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-205705r1016459_rule
Severity: Medium
References: CCI-001941 CCI-001942 CCI-001942
Updated: 17 days ago

Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket renewal" to a maximum of "7" days or less.

Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.

Description

Remediation - Manual Procedure