Details
This security setting determines the period of time (in days) during which a user’s ticket-granting ticket can be renewed.
The STIG recommended state for this setting is: 7 or fewer days.
Rationale:
If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire.
Impact:
None – this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to 7 or fewer days:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount PolicyKerberos PolicyMaximum lifetime for user ticket renewal
Default Value:
7 days
Additional Information:
Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021
Vul ID: V-224968
Rule ID: SV-224968r569186_rule
STIG ID: WN16-DC-000050
Severity: CAT II
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management, Identification and Authentication.This control applies to the following type of system Windows.