Hello Everyone, my name is Zoheb Shaikh and I’m a Solution Engineer working with Microsoft Mission Critical team (SfMC). Today I’ll share with you some FAQs on KRBTGT reset.
Recently I had couple of customers asking many questions on KRBTGT account password reset and Microsoft’s recommendations for this, in this article I will list these questions and provide my responses which will address many queries you may have.
Before we deep dive into details let’s have a brief on what’s KRBTGT and its use briefly.
KRBTGT: KRB stands for Kerberos and TGT is Ticket Granting Ticket. In simple words during Kerberos Authentication process TGTs are issued to users, services or accounts requesting access to resources, these TGT’s are encrypted by cryptographic key which is derived from the password of the Key Distribution Center's (KDC) account (KRBTGT), this key is known only by the Kerberos service. Since this is the account which encrypts TGTs it becomes extremely important to secure and monitor (More details on How Kerberos works are here).
The KRBTGT account is a domain default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, account name cannot be changed, and it cannot be enabled in Active Directory.
For information about name forms and addressing conventions, see RFC 4120 .
Coming back to customer queries, our customer wanted to know what Microsoft’s recommendation on resetting KRBTGT is regularly and had various queries on whether this can create an impact.
Why do organizations reset KRBTGT password?
Typically, KRBTGT resets might be performed during compromise recovery scenarios of Active Directory on recommendations from Microsoft DART team/Microsoft Compromise Recovery Team, following a set procedure after ensuring all back doors are closed.
Some organizations might reset KRBTGT password based on recommendations from 3rd party Auditors also.
It is important to remember that resetting the KRBTGT is only one part of a recovery strategy and alone will likely not prevent a previously successful attacker from obtaining unauthorized access to a compromised environment in the future. We strongly advise that customers create a comprehensive recovery plan using guidance found in the white paper of Mitigating Pass the Hash Attacks and Other Credential Theft.
What are Microsoft Recommendations on KRBTGT Reset?
There is no specific recommendation regarding password reset for the KRBTGT account.
Although you can reset it periodically even without any indicators of compromise, you should plan the interval of resets for your organization taking into considerations your backup schedules, operational procedures, security requirements, etc.
However, that is a separate discussion to have, and we are more over going to discuss what exactly happens during a KRBTGT reset and few other queries which came up when discussed this with one of our Mission Critical customers.
FAQs on KRBTGT Reset:
Note: Terms KRB1, KRB2 and KRBOLD used below is only for explanation purposes.
Special thanks to my SfMC colleague Ahmed Badr and others at CIS Tech Community for proof reading and suggestions.
Hope this helps,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.