You are here: Compliance Check Types > Windows Configuration > Custom Items > KERBEROS_POLICY

KERBEROS_POLICY

This policy item checks for the values defined in “Security Settings -> Account Policies -> Kerberos Policy”.

The check is performed by calling the function NetUserModalsGet with the level 1.

Usage

<custom_item>

type: KERBEROS_POLICY

description: ["description"]

value_type: [VALUE_TYPE]

value_data: [value]

(optional) check_type: [value]

kerberos_policy: [KERBEROS_POLICY_TYPE]

</custom_item>

This item uses the kerberos_policy field to describe which element of the password policy must be audited. The allowed types are:

  • USER_LOGON_RESTRICTIONS (“Enforce user logon restrictions”)

    value_type: POLICY_SET

    value_data: "Enabled" or "Disabled"

  • SERVICE_TICKET_LIFETIME (“Maximum lifetime for service ticket”)

    value_type: TIME_MINUTE

    value_data: DWORD or RANGE [time in minutes]

  • USER_TICKET_LIFETIME (“Maximum lifetime for user ticket”)

    value_type: TIME_HOUR

    value_data: DWORD or RANGE [time in hours]

  • USER_TICKET_RENEWAL_LIFETIME (“Maximum lifetime for user renewal ticket”)

    value_type: TIME_DAY

    value_data: DWORD or RANGE [time in day]

  • CLOCK_SYNCHRONIZATION_TOLERANCE (“Maximum tolerance for computer clock synchronization”)

    value_type: TIME_MINUTE

    value_data: DWORD or RANGE [time in minute]

Note: The Kerberos policy can only be checked against a KDC (Key Distribution Center), which, under Windows, is usually a Domain Controller.

Example

<custom_item>

type: KERBEROS_POLICY

description: "Maximum lifetime for user renewal ticket"

value_type: TIME_DAY

value_data: 12

kerberos_policy: USER_TICKET_RENEWAL_LIFETIME

</custom_item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.