TOC & Recently Viewed

Recently Viewed Topics


This policy item checks for the values defined in “Security Settings -> Account Policies -> Kerberos Policy”.

The check is performed by calling the function NetUserModalsGet with the level 1.




description: ["description"]

value_type: [VALUE_TYPE]

value_data: [value]

(optional) check_type: [value]

kerberos_policy: [KERBEROS_POLICY_TYPE]


This item uses the kerberos_policy field to describe which element of the password policy must be audited. The allowed types are:

  • USER_LOGON_RESTRICTIONS (“Enforce user logon restrictions”)

    value_type: POLICY_SET

    value_data: "Enabled" or "Disabled"

  • SERVICE_TICKET_LIFETIME (“Maximum lifetime for service ticket”)

    value_type: TIME_MINUTE

    value_data: DWORD or RANGE [time in minutes]

  • USER_TICKET_LIFETIME (“Maximum lifetime for user ticket”)

    value_type: TIME_HOUR

    value_data: DWORD or RANGE [time in hours]

  • USER_TICKET_RENEWAL_LIFETIME (“Maximum lifetime for user renewal ticket”)

    value_type: TIME_DAY

    value_data: DWORD or RANGE [time in day]

  • CLOCK_SYNCHRONIZATION_TOLERANCE (“Maximum tolerance for computer clock synchronization”)

    value_type: TIME_MINUTE

    value_data: DWORD or RANGE [time in minute]

Note: The Kerberos policy can only be checked against a KDC (Key Distribution Center), which, under Windows, is usually a Domain Controller.




description: "Maximum lifetime for user renewal ticket"

value_type: TIME_DAY

value_data: 12



Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.