KERBEROS_POLICY
This policy item checks for the values defined in “Security Settings -> Account Policies -> Kerberos Policy”.
The check is performed by calling the function NetUserModalsGet with the level 1.
Usage
<custom_item>
type: KERBEROS_POLICY
description: ["description"]
value_type: [VALUE_TYPE]
value_data: [value]
(optional) check_type: [value]
kerberos_policy: [KERBEROS_POLICY_TYPE]
</custom_item>
This item uses the kerberos_policy field to describe which element of the password policy must be audited. The allowed types are:
-
USER_LOGON_RESTRICTIONS (“Enforce user logon restrictions”)
value_type: POLICY_SET
value_data: "Enabled" or "Disabled"
-
SERVICE_TICKET_LIFETIME (“Maximum lifetime for service ticket”)
value_type: TIME_MINUTE
value_data: DWORD or RANGE [time in minutes]
-
USER_TICKET_LIFETIME (“Maximum lifetime for user ticket”)
value_type: TIME_HOUR
value_data: DWORD or RANGE [time in hours]
-
USER_TICKET_RENEWAL_LIFETIME (“Maximum lifetime for user renewal ticket”)
value_type: TIME_DAY
value_data: DWORD or RANGE [time in day]
-
CLOCK_SYNCHRONIZATION_TOLERANCE (“Maximum tolerance for computer clock synchronization”)
value_type: TIME_MINUTE
value_data: DWORD or RANGE [time in minute]
Note: The Kerberos policy can only be checked against a KDC (Key Distribution Center), which, under Windows, is usually a Domain Controller.
Example
<custom_item>
type: KERBEROS_POLICY
description: "Maximum lifetime for user renewal ticket"
value_type: TIME_DAY
value_data: 12
kerberos_policy: USER_TICKET_RENEWAL_LIFETIME
</custom_item>