Monitors the krbtgt password to make sure that it was changed within the configured threshold.
Monitor that checks the pwdLastSet attribute of the krbtgt account and compares it to a threshold for age. The pwdLastSet attribute marks the date that the password was last set.
Resetting the krbtgt account password is a security best practice. A stolen krbtgt account password can wreak havoc on an organization because it can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.
One way to help mitigate the risk of a bad actor using a compromised krbtgt key to forge user tickets is by periodically resetting the krbtgt account password. Resetting this password on a regular basis reduces the useful lifetime of krbtgt keys, in case one or more of them is compromised.
Interval default Once a day (86,400 sec).
Threshold default is 90 days.
Possible causes include the following:
Password age of the krbtgt account has exceeded the threshold.
Reset the password of the krbtgt account.
Target | Microsoft.Windows.Server.AD.DomainMemberPerspective | ||
Parent Monitor | System.Health.SecurityState | ||
Category | Custom | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | MatchMonitorHealth | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitortype | ||
Remotable | False | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitor" Accessibility="Public" Enabled="true" Target="AD!Microsoft.Windows.Server.AD.DomainMemberPerspective" ParentMonitorID="SystemHealth!System.Health.SecurityState" Remotable="false" Priority="Normal" TypeID="Microsoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitortype" ConfirmDelivery="false">
<Category>Custom</Category>
<AlertSettings AlertMessage="Microsoft.Windows.AD.DomainMemberPerspective.Security.KrbtgtPasswordLastSet.Monitor.AlertMessage">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/Property[@Name='ErrorString']$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="KrbtgtPasswordLastSetOK" MonitorTypeStateID="KrbtgtPasswordLastSetOK" HealthState="Success"/>
<OperationalState ID="KrbtgtPasswordLastSetWarn" MonitorTypeStateID="KrbtgtPasswordLastSetWarn" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<IntervalSeconds>86400</IntervalSeconds>
<TimeoutSeconds>300</TimeoutSeconds>
<Threshold>90</Threshold>
</Configuration>
</UnitMonitor>