1.3.1 Ensure 'Enforce user logon restrictions' is set to 'Enabled' (STIG DC only)

Information

This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.

The STIG recommended state for this setting is: Enabled

If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Enforce user logon restrictions

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/15301