(07)專案管理 » 01_外部專案

N bookmark20250526231504779653815004 "Krbtgt Password Unchanged for over 1 year

" A stale krbtgt password enables Golden Ticket attacks, letting attackers forge Kerberos tickets to impersonate any user, including admins, and maintain persistent, undetected domain access. The longer it goes unchanged, the greater the risk of widespread compromise. "To renew the Kerberos keys used to encrypt TGTs, it is necessary to manually change the krbtgt account password annually . It is recommended to perform this change using the script provided by Microsoft .  

The password change must be performed twice to be effective.

It is noteworthy that any operation to change the password of the krbtgt account must be performed only in an Active Directory environment where replication between domain controllers is nominal. Therefore, it is essential to wait a period before the second password change.

It is also possible to manually reset the krbtgt account password , in the same way as for a regular account. If the provided script is not used, it is recommended to leave at least 24 hours between the two changes and to ensure effective replication between domain controllers. A strategy could be to perform a single password change every 6 months, in order to guarantee an effective annual change.

"