Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS).
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-269097 | SRG-OS-000480 | AD.0205 | SV-269097r1026170_rule | 2024-09-13 | 3 |
| Description |
|---|
| Although Kerberos logging can be used for troubleshooting, it can also provide security information for successful and failed login attempts. If a malicious actor uses a forged or unauthorized certificate to complete Kerberos PKINIT authentication, the Kerberos Authentication Service success audit in event 4768 can be used to detect the specific fraudulent certificate that was used to authenticate to then revoke the certificate. Kerberos Service Ticket operation events can be used in an investigation to discover which services were accessed by a malicious actor or to detect if an SCHANNEL-based authentication was abused by a malicious actor. |
| ℹ️ Check |
|---|
| This applies to domain controllers only. It is not applicable for other systems. Verify the following is configured on the domain controller. Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon. If "Audit Kerberos Authentication Service" and "Audit Kerberos Ticket Operations" are not set to "Success and Failure", this is a finding. |
| ✔️ Fix |
|---|
| Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon. Configure "Audit Kerberos Authentication Service" and the "Audit Kerberos Service Ticket Operations" to be set to "Success and Failure". |