Details
This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.
The STIG recommended state for this setting is: Enabled.
Rationale:
If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use.
Impact:
None – this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount PolicyKerberos PolicyEnforce user logon restrictions
Default Value:
Enabled.
Additional Information:
Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021
Vul ID: V-224965
Rule ID: SV-224965r569186_rule
STIG ID: WN16-DC-000020
Severity: CAT II
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management, Identification and Authentication.This control applies to the following type of system Windows.