Security Assessment: Change password for krbtgt account
This recommendation lists any krbtgt account within your environment with password last set over 180 days ago.
Organization risk
The krbtgt account in Active Directory is a built-in account used by the Kerberos authentication service. It encrypts and signs all Kerberos tickets, enabling secure authentication within the domain. The account cannot be deleted, and securing it is crucial, as compromise could allow attackers to forge authentication tickets.
If the KRBTGT account's password is compromised, an attacker can use its hash to generate valid Kerberos authentication tickets, allowing them to perform Golden Ticket attacks and gain access to any resource in the AD domain. Since Kerberos relies on the KRBTGT password to sign all tickets, closely monitoring and regularly changing this password is essential to mitigating the risk of such attacks.
Remediation steps
Review the list of exposed entities to discover which of your krbtgt accounts have an old password.
Take appropriate action on those accounts by resetting their password twice to invalidate the Golden Ticket attack.
Note
The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It is recommended to use the Microsoft-provided script.