STIGQter STIGQter: STIG Summary: Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 2 Release: 19 Benchmark Date: 24 Jan 2020: The password for the krbtgt account on a domain must be reset at least every 180 days.

DISA Rule

SV-101879r2_rule

Vulnerability Number

V-91777

Group Title

WINAD-000015-DC

Rule Version

WN12-AD-000015-DC

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Reset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.

PowerShell scripts are available to accomplish this such as at the following link:
https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51

Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").

Select "Advanced Features" in the "View" menu if not previously selected.

Select the "Users" node.

Right click on the krbtgt account and select "Reset password".

Enter a password that meets password complexity requirements.

Clear the "User must change password at next logon" check box.

The system will automatically change this to a system generated complex password.

Check Contents

This requirement is applicable to domain controllers; it is NA for other systems.

Open "Windows PowerShell".

Enter "Get-ADUser krbtgt -Property PasswordLastSet".

If the "PasswordLastSet" date is more than 180 days old, this is a finding.

Vulnerability Number

V-91777

Documentable

False

Rule Version

WN12-AD-000015-DC

Severity Override Guidance

This requirement is applicable to domain controllers; it is NA for other systems.

Open "Windows PowerShell".

Enter "Get-ADUser krbtgt -Property PasswordLastSet".

If the "PasswordLastSet" date is more than 180 days old, this is a finding.

Check Content Reference

M

Target Key

2350

Comments