Kerberos & Active Directory Security
This applies to Windows only.
The following security considerations should be taken into account when configuring Kerberos with Active Directory.
- Use Kerberos pre-Authentication on the Kerberos Service's Active Directory. (By default, it is enabled). When enabled, requests for a Ticket Granting Ticket (TGT) require the client to provide an encrypted timestamp. If Kerberos Pre-Authentication is disabled, the Kerberos Domain Controller still generates a TGT upon request. Even though, the TGT is encrypted, and is useless without the client password, an attacker could perform a Denial of Service attack by issuing 1,000s of requests.
- Disable Kerberos delegation. Kerberos delegation allows an application to reuse the end-user credentials to access resources hosted on a different server.
- Lock down the Kerberos Service's user account. Apply a policy to prevent the Kerberos Service user account from logging in to any machine. This ensures that, should anyone gain access to the keytab file, they cannot use the credentials in that file to login to any computer.
Copyright © Cloud Software Group, Inc. All rights reserved.