Home
  •  

KRBTGT Password Last Set Monitor

Microsoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitor (UnitMonitor)

Monitors the krbtgt password to make sure that it was changed within the configured threshold.

Knowledge Base article:

Summary

Monitor that checks the pwdLastSet attribute of the krbtgt account and compares it to a threshold for age. The pwdLastSet attribute marks the date that the password was last set.

Resetting the krbtgt account password is a security best practice. A stolen krbtgt account password can wreak havoc on an organization because it can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.

One way to help mitigate the risk of a bad actor using a compromised krbtgt key to forge user tickets is by periodically resetting the krbtgt account password. Resetting this password on a regular basis reduces the useful lifetime of krbtgt keys, in case one or more of them is compromised.

Configuration

Interval default Once a day (86,400 sec).

Threshold default is 90 days.

Causes

Possible causes include the following:

Resolutions

Reset the password of the krbtgt account.

External

Element properties:

TargetMicrosoft.Windows.Server.AD.DomainMemberPerspective
Parent MonitorSystem.Health.SecurityState
CategoryCustom
EnabledTrue
Alert GenerateTrue
Alert SeverityMatchMonitorHealth
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitortype
RemotableFalse
AccessibilityPublic
Alert Message
The KRBTGT Password Last Set monitor has failed. The password is older than the configured threshold.
{0}
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitor" Accessibility="Public" Enabled="true" Target="AD!Microsoft.Windows.Server.AD.DomainMemberPerspective" ParentMonitorID="SystemHealth!System.Health.SecurityState" Remotable="false" Priority="Normal" TypeID="Microsoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitortype" ConfirmDelivery="false">

  <Category>Custom</Category>

  <AlertSettings AlertMessage="Microsoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitor.AlertMessage">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>MatchMonitorHealth</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Property[@Name='ErrorString']$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="KrbtgtPasswordLastSetOK" MonitorTypeStateID="KrbtgtPasswordLastSetOK" HealthState="Success"/>

    <OperationalState ID="KrbtgtPasswordLastSetWarn" MonitorTypeStateID="KrbtgtPasswordLastSetWarn" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <IntervalSeconds>86400</IntervalSeconds>

    <TimeoutSeconds>300</TimeoutSeconds>

    <Threshold>90</Threshold>

  </Configuration>

</UnitMonitor>