Kerberos TGT Tickets

Monitoring Kerberos TGT Tickets and Ensuring Security Policy Compliance Overview: The Ticket-Granting Ticket (TGT) is a critical component of the Kerberos authentication protocol, used to authenticate users in an Active Directory environment without requiring repeated password entries. After a user logs in, they receive a TGT from the Key Distribution Center (KDC), which is then used to obtain additional service tickets for accessing network resources.

Key Security Concerns: TGTs are vital to network security, and if compromised, they can lead to various attack vectors, including:

  • Pass-the-Ticket (PTT): Attackers use a stolen TGT to access services without needing user credentials. Detection can be achieved by identifying the use of the same ticket from unusual locations or devices.

  • Golden Ticket: Attackers create a forged TGT with elevated privileges, enabling free movement within the network. Detection involves identifying long-lived tickets or tickets linked to anomalous accounts.

  • Silver Ticket: Attackers generate forged service tickets without breaching the KDC. Detection is possible by recognizing tickets associated with services unrelated to the original user.

  • Non-Compliant Tickets: TGTs that exceed the configured lifetime or renewal period may indicate a security misconfiguration or exploitation. Monitoring and comparing ticket ages with the set policy can help identify such violations.

Significance of TGT in Security: A compromised TGT allows attackers to execute pass-the-ticket, silver ticket, or golden ticket attacks, granting them persistent access to sensitive resources without requiring the original password. Ensuring TGTs adhere to security policies is therefore crucial for maintaining network security.

Steps to Monitor and Ensure Compliance:

  1. Review Kerberos Policy Settings:

    • Use the command gpedit.msc in PowerShell to view Kerberos-related settings under:

      • Computer Configuration → Windows Settings → Security Settings → Account Policies → Kerberos Policy

      • Key settings to monitor:

        • maxTicketAge: Maximum lifetime for a TGT.

        • maxRenewAge: Maximum duration for ticket renewal.

  2. Define Compliance Criteria:

    • Establish thresholds for ticket validity based on organizational policy:

      • Example: If maxTicketAge is set to 10 hours, any TGT older than 10 hours should be considered non-compliant.

      • Similarly, if maxRenewAge is set to 7 days, any ticket renewed after 7 days is considered a policy violation.

  3. Detect Non-Compliant TGTs:

    • Use PowerShell commands to check active ticket details: secedit /export /areas SECURITYPOLICY /cfg C:\KerberosPolicy.txt Get-Content C:\KerberosPolicy.txt | Select-String "MaxTicketAge" -Context 0,1

    • Compare the EndTime value with maxTicketAge to ensure tickets align with the established policy.

PreviousHardware SecurityNextMastering SELinux

Last updated