Active Directory is a very powerful tool with the help of which we can manage tens of thousands of users in no time. Active Directory has a very cool component called Group Policy Management. commonly called as GPO. GPO is used to make various types of security policies for users and computers to save them from external threats. Today we will talk about one of the very popular security policies of GPO called Kerberos Policy GPO.
Definition of Kerberos Policy:
Kerberos is the authentication protocol used in an Active Directory domain environment to authenticate logins and grant accounts access to domain resources. An account can be a user or a computer because computers must also authenticate to the domain. Kerberos provides mutual authentication between a client and a server or between two servers. Mutual authentication means the identity of both parties is verified. Kerberos is also the basis for authorization to network resources in a Windows active directory domain.
Path To Kerberos Policy:
Computer configuration-> Policies-> Windows Settings->Security Settings -> Account Policies -> Kerberos Policy
Components Of Kerberos Policy:
The Kerberos policy has below-mentioned sub-policies which we can configure according to our requirement.:
- Enforce User Logon Restrictions.
- Maximum Lifetime For Service Ticket.
- Maximum Lifetime For User Ticket.
- Maximum Lifetime For User Ticket Renewal.
- Maximum Tolerance For Computer Clock Synchronization.
Lets take a deeper look into each of the above components:
1. Enforce User Logon Restrictions:
If this setting is enabled (the default), the KDC (Key Distribution Center) validates every request for service tickets against the rights granted to the requesting account. This process takes extra time, and although it’s somewhat more secure, it might slow access to network resources, so it can be disabled if needed.
2. Maximum Lifetime For Service Ticket:
This setting specifies in minutes how long a service ticket can be used before a new ticket must be requested to access the resource the ticket was granted for. The default is 600 minutes or 10 hours. The minimum allowed value is 10 minutes, and the maximum value is equal to the “Maximum lifetime for user ticket” setting.
3. Maximum Lifetime For User Ticket:
This setting is the maximum amount of time in hours a TGT (Ticket-granting tickets) can be used before it must be renewed or a new one must be requested. The default value is 10 hours.
4. Maximum Lifetime For User Ticket Renewal:
This setting, specified in days, is the maximum period during which a TGT can be renewed. The default setting is 7 days. In this period, a TGT can be renewed without having to go through the full authentication process. After this period has expired (or the account logs off), a new TGT must be requested.
5. Maximum Tolerance For Computer Clock Synchronization:
This setting determines the maximum time difference allowed between a Kerberos message timestamp and the receiving computer’s current time. If the time difference falls outside this limit, the message is considered invalid. The default is 5 minutes. Timestamp messages are corrected for time zone, so it’s important to have the correct time zone set on all computers in the domain and have the domain controller clocks synchronized with a reliable source. By default, member computers are synchronized with the DC’s clock.
USEFUL TERMINOLOGY
Key Distribution Center:
Every domain controller is a Key Distribution Center (KDC), which uses the Active Directory database to store keys for encrypting and encrypting data in the authentication process. The keys are based on an account’s encrypted password.
Ticket granting tickets:
When an account successfully authenticates with a domain controller (a KDC), it’s issued a ticket-granting ticket (TGT). A TGT grants the account access to the domain controller and is used to request a service ticket without having to authenticate again.
Reference : Microsoft