 |
Vanstechelman.eu | |
|
|
Navigation
My posts on Twitter
- lvanstechelman: For Better Password Policies: OWASP Passfault http://t.co/Tyzk2z6V
- lvanstechelman: XSS attack vector: Eval a url http://t.co/XbbtbivM
- lvanstechelman: New Product: Google Drive http://t.co/OlfyF4oO
- lvanstechelman: @ZIONSECURITY According to http://t.co/i073PUwc the attribute must case-insensitively match the string "HttpOnly"
- lvanstechelman: @ZIONSECURITY My logs contain requests containing the GET parameters like requested by the end-user e.g. /user/login?destination=node%2F1
Group Policy Settings - Local Policies - Kerberos Policy
- Enforce user logon restrictions
This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.
Default: Enabled.
- Maximum lifetime for service ticket
This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user ticket.
If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that is used to authenticate the connection expires during the connection.
Default: 600 minutes (10 hours).
- Maximum lifetime for user ticket
This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used. When a user's TGT expires, a new one must be requested or the existing one must be "renewed."
Default: 10 hours.
- Maximum lifetime for user ticket renewal
This security setting determines the period of time (in days) during which a user's ticket-granting ticket (TGT) may be renewed.
Default: 7 days.
- Maximum tolerance for computer clock synchronization
This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller running Windows Server 2003 that provides Kerberos authentication.
To prevent "replay attacks," Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both computers must be set to the same time and date. Because the clocks of two computers are often out of sync, administrators can use this policy to establish the maximum acceptable difference to Kerberos V5 between a client clock and domain controller clock. If the difference between a client clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two computers is considered to be authentic.
Important
This setting is not persistent. If you configure this setting and then restart the computer, this setting reverts to the default value.
Default: 5 minutes.