Simple Kerberos configuration

Check out these five Group Policy configuration settings you can adjust to improve your Kerberos security setup.

Windows 2000, Windows XP and Windows Server 2003 use Kerberos to protect the logon credentials users provide. It serves no other purpose than to protect authentication traffic. The protected traffic could be between clients and domain controllers (which serve as a distributed KDCs (Key Distribution Centers), between clients and servers or between servers and the KDC.

For most situations, the default configuration of Kerberos is suitable. However, if you want to improve your security setup there are at least five configuration settings you can adjust in Group Policy. If you plan on changing these settings, test them on a non-production lab network first before implementing them on your production network.

The controls are located in the Computer Configuration section of group policy under Windows Settings, Security Settings, Account Policies, Kerberos Policies. The five configurable variables are:

Enforce user logon restrictions – this setting determines whether the KDC validates every session ticket (TGT) request against the users' authorization. This setting is enabled by default and since it improves security, don't alter it.

Maximum lifetime for service ticket – this setting controls the lifetime of service tickets (ST). The default setting is 600 minutes. Reducing this setting will reduce the likelihood that the ST will be used for impersonation to access resources. But it will require more frequent requests for STs on behalf of users. A value above 240 minutes will prevent too much additional burden on most DCs.

Maximum lifetime for user ticket - This setting controls the lifetime of session tickets (TGT). The default setting is 10 hours. Reducing this setting will reduce the likelihood that the TGT will be used for impersonation to access resources. But it will require more frequent requests for TGTs on behalf of users. A value of four hours will prevent too much additional burden on most DCs.

Maximum lifetime for user ticket renewal – This setting controls how long after a TGT expires a user can request a renewal without a completely new session key. The default setting is seven days. Shorten this value to require more frequent replacements of the session keys. A value above two days will prevent too much additional burned on most DCs.

Maximum tolerance for computer clock synchronization – this setting controls how much difference between the DCs clock and the client's clock can exist before Kerberos activities are prevented. The default value of five minutes is usually ideal. I don't recommend altering this value. Lengthening this value opens additional vulnerabilities of compromising ticket requests.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


 

This was first published in October 2003

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close