1.3.3 Ensure 'Maximum lifetime for user ticket' is set to '10 or fewer hours, but not 0' (STIG DC only)

Information

This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used.

The STIG recommended state for this setting is: 10 or fewer hours, but not 0.

Rationale:

If you configure the value for the Maximum lifetime for user ticket setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to 10 or fewer hours, but not 0:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum lifetime for user ticket

Default Value:

10 hours




Additional Information:

Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021

Vul ID: V-224967
Rule ID: SV-224967r569186_rule
STIG ID: WN16-DC-000040
Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3476