1.3.2 Ensure 'Maximum lifetime for service ticket' is set to '600 or fewer minutes, but not 0' (STIG DC only)

Information

This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user ticket.

The STIG recommended state for this setting is: 600 or fewer minutes, but not 0

If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that is used to authenticate the connection expires during the connection.

Solution

To establish the recommended configuration via GP, set the following UI path to 600 or fewer minutes, but not 0 :

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum lifetime for service ticket

Impact:

None - this is the default behavior.

Note: If you configure the value for the Maximum lifetime for service ticket setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled.

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13)

Plugin: Windows

Control ID: 61831eb8aa0fcdd53754bde70d58aa90ad130f71abd74f31bb394562fbe7cff7