KERBEROS_POLICY

This policy item checks for the values defined in “Security Settings -> Account Policies -> Kerberos Policy”.

The check is performed by calling the function NetUserModalsGet with the level 1.

Usage

<custom_item>

type: KERBEROS_POLICY

description: ["description"]

value_type: [VALUE_TYPE]

value_data: [value]

(optional) check_type: [value]

kerberos_policy: [KERBEROS_POLICY_TYPE]

</custom_item>

This item uses the kerberos_policy field to describe which element of the password policy must be audited. The allowed types are:

  • USER_LOGON_RESTRICTIONS (“Enforce user logon restrictions”)

    value_type: POLICY_SET

    value_data: "Enabled" or "Disabled"

  • SERVICE_TICKET_LIFETIME (“Maximum lifetime for service ticket”)

    value_type: TIME_MINUTE

    value_data: DWORD or RANGE [time in minutes]

  • USER_TICKET_LIFETIME (“Maximum lifetime for user ticket”)

    value_type: TIME_HOUR

    value_data: DWORD or RANGE [time in hours]

  • USER_TICKET_RENEWAL_LIFETIME (“Maximum lifetime for user renewal ticket”)

    value_type: TIME_DAY

    value_data: DWORD or RANGE [time in day]

  • CLOCK_SYNCHRONIZATION_TOLERANCE (“Maximum tolerance for computer clock synchronization”)

    value_type: TIME_MINUTE

    value_data: DWORD or RANGE [time in minute]

Note: The Kerberos policy can only be checked against a KDC (Key Distribution Center), which, under Windows, is usually a Domain Controller.

Example

<custom_item>

type: KERBEROS_POLICY

description: "Maximum lifetime for user renewal ticket"

value_type: TIME_DAY

value_data: 12

kerberos_policy: USER_TICKET_RENEWAL_LIFETIME

</custom_item>