Credentials for the Kerberos Key Distribution Center’s service account (KRBTGT) are changed twice, allowing for replication to all Microsoft Active Directory Domain Services domain controllers in-between each change, if: • the domain has been directly compromised • the domain is suspected of being compromised • they have not been changed in the past 12 months.
Topic
Changing credentials
Applicable to
all
History
Mar 2023
Credentials for the Kerberos Key Distribution Center’s service account (KRBTGT) are changed twice, allowing for replication to all Microsoft Active Directory Domain Services domain controllers in-between each change, if:
• the domain has been directly compromised
• the domain is suspected of being compromised
• they have not been changed in the past 12 months.
A new control was added covering changing the credentials for the Kerberos Key Distribution Center’s service account (KRBTGT) at least twice, allowing for replication to all Microsoft AD DS domain controllers in-between each change, when a domain has been directly compromised, when a domain is suspected of being compromised or when the credentials haven’t been changed in the past 12 months.