I'm trying to understand the best practice regarding the KRBTGT account in Active Directory. I've come across conflicting advice; some people say it should definitely be disabled, while others state it should remain enabled to avoid breaking Kerberos functionality. I work as a junior pentester who focuses on Active Directory, and I always believed the KRBTGT account should be kept enabled and its password changed regularly to prevent golden ticket attacks. However, I've noticed that in three mature environments I've checked, the KRBTGT account was disabled but Kerberos was still functioning. I'm curious about why so many recommend disabling it; do they not use Kerberos, or is there something I'm missing? I couldn't find definitive Microsoft documentation on this.
5 Answers
The general consensus is to keep the account disabled and change its password every 180 days. If it's been longer than that, you should rotate it twice, ensuring there's a gap of at least 10 hours between changes to let the system adjust properly.
Microsoft actually suggests changing the password every 30 days but expects it to be no older than 180 days for audits. This only matters if you're under their scrutiny, though.
The KRBTGT account being disabled by default is key. Its password is essential for Kerberos ticket signing, and if compromised, it could allow an attacker to forge tickets. Thus, keeping it disabled is generally best practice to avoid unnecessary risks.
Exactly! The point isn't just to disable access; it's about maintaining security. If an attacker gets hold of the password for this account, they could wreak havoc by creating their own tickets.
Most believe the KRBTGT account should always be disabled because no one needs to log in to it. It doesn't have to be enabled to issue Kerberos tickets, which is its primary function. Disabling it reduces the risk of potential attacks without affecting functionality.
Just a heads up, it's technically not truly disabled. It appears disabled in AD but has a special status due to its nature. So even if it's shown as disabled, it still operates as designed.
In my experience managing various domains, we've always kept the KRBTGT account disabled. Microsoft advises this approach along with frequent password resets to enhance security.
I found the KRBTGT account disabled in my setup, but I didn't disable it myself. It seemed to have happened automatically, and Kerberos is functioning just fine in my network.
Definitely remember to check that replication is working smoothly before making any password rotations!