365labs - Microsoft 365 and cybersecurity consultancy

View Original

Should I reset the reset KRBTGT password in my Active Directory domain?

We were reading and discussing the below Reddit post about taking down Active Directory because they applied a CIS Security Baseline to their environment. This got us thinking about resetting the KRBTGT password. Does anyone do it? What are the implications of not doing so in an Active Directory domain environment? And so on.

Should I reset the reset KRBTGT password in my Active Directory domain?

The tl;dr. Yes you should, and Microsoft recommend at least every 180 days.

See this content in the original post

Does anyone do it?

It’s hard to put a number on it or even estimate it. Fair to say it will be a very small percentage.

What is it and what are the implications?

The KRBTGT account is a built-in account in Active Directory that is used to encrypt and sign Kerberos tickets. The KRBTGT password is used to generate the keys that are used to encrypt and sign the tickets, and it is essential to the security of the Active Directory environment.

If the KRBTGT password is not reset regularly, it increases the risk of a security breach. If an attacker gains access to the KRBTGT password, they can create valid Kerberos tickets for any user in the domain, and use these tickets to gain access to resources on the network.

Some of the implications of not resetting the KRBTGT password regularly in an Active Directory domain environment include:

  1. Increased risk of privilege escalation attacks: If an attacker gains access to the KRBTGT password, they can create tickets with elevated privileges and gain access to sensitive resources on the network.

  2. Increased risk of lateral movement: Once an attacker has gained access to one system, they can use the KRBTGT password to move laterally through the network and gain access to other systems and resources.

  3. Increased risk of data theft: An attacker with access to the KRBTGT password can potentially steal sensitive data from the network, including user credentials and other sensitive information.

  4. Increased risk of system compromise: If an attacker can compromise the KRBTGT account, they may be able to modify or delete Active Directory objects, disrupt domain operations, or carry out other malicious activities.

Regularly resetting the KRBTGT password is essential for maintaining the security of your Active Directory domain environment. Therefore, Microsoft recommended resetting the KRBTGT password at least every 180 days.

How can I do it?

Firstly, ensure your have good backups.

Secondly, check your domain and forest function levels and consider raising them to the highest levels, where appropriate and without breaking anything.

Get-ADForest | Format-Table Name, ForestMode
Get-ADDomain | Format-Table Name, DomainMode

For example to raise the domain function level to Windows Server 2016 (the highest at time of writing):

Set-ADDomainMode -identity 365labs.uk -DomainMode Windows2016Domain

and then to raise the forest function level to Windows Server 2016 (again the highest):

Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Forest

ensure replication complete and then download the KRBTGT password reset script from GitHub.

Then run the script and follow the prompts. It is sensible to run in simulation mode first.

.\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1

again wait for/force replication to occur and check for any replication errors. Check the PasswordLastSet attribute on all domain controllers.

(Get-AdDomainController -Filter * | ForEach-Object {Get-AdUser krbtgt -Server $_.Name -Properties PasswordLastSet}).PasswordLastSet

Should I run it twice to remove the history?

If this is the first time the KRBTGT password has been changed then it is sensible to reset the password again 24 hours later once the replication has completed and with no errors. This ensures the password history is overwritten.

Should I schedule this every 180 days?

Probably not. This is best completed manually as part of the sysadmins regular maintenance and routines.

Need more information? Check out a Microsoft blog post on this topic: KRBTGT Account Password Reset Scripts now available for customers - Microsoft Security Blog

See this content in the original post