20.32 Ensure 'krbtgt account password' is no more than '180 days old' (STIG DC only)

Information

This policy setting ensures that the krbtgt account which acts as a service account for the Kerberos Key Distribution Center (KDC) service is no more than 180 days old. This account is created when a domain is created.

The STIG recommended state for this setting is: No more than 180 days old

If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT).

Solution

Reset the krbtgt account password via PowerShell. PowerShell scripts to reset the password can be found at the following Microsoft webpage:

Browse code samples | Microsoft Docs

Note: The password must be changed twice to effectively remove the password history. Changing the password once and waiting for replication to complete and then changing again reduces the risk of issues. Changing the password twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.

Impact:

The krbtgt account password will need to be changed manually every 180 days.

See Also

https://workbench.cisecurity.org/benchmarks/18857