Kerberos Hardening
AD Without Eternal Admin Rights
In network security, structure beats improvisation: clear paths, fewer privileges, and explicit trust boundaries.
For Kerberos Hardening, privilege cleanup and trust hygiene deliver the greatest reduction in impact.
This limits not only the chance of incidents, but especially the scope and duration when something goes wrong.
Immediate measures (15 minutes)
Why this matters
The core of Kerberos Hardening is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.
Defense: Hardening Kerberos
Protection against Kerberoasting and AS-REP Roasting
| Measure | Implementation | Effect |
|---|---|---|
| Strong passwords for service accounts | Minimum 25+ characters, random | Cracking becomes infeasible |
| gMSA (Group Managed Service Accounts) | Automatic password management | 120+ character passwords, auto-rotation |
| AES-only Kerberos | Disable RC4 via GPO | Slows down cracking (AES is heavier) |
Reducing delegation risks
| Measure | Implementation | Effect |
|---|---|---|
| Protected Users group | Add sensitive accounts | Prevents delegation |
| Account is sensitive | Set NOT_DELEGATED flag |
Per-account delegation block |
| Machine Account Quota = 0 | ms-DS-MachineAccountQuota to 0 |
Blocks RBCD fake account |
| Remove Unconstrained Delegation | Switch to Constrained or RBCD | Prevents TGT harvesting |
| Disable Print Spooler | On Domain Controllers | Blocks Printer Bug |
Against Ticket Forgery
| Measure | Implementation | Effect |
|---|---|---|
| Rotate krbtgt password | Regularly (and 2x during incident) | Invalidates Golden/Diamond Tickets |
| PAC validation | Enable on services | Detects forged PACs |
| Credential Guard | On all endpoints | Protects cached credentials |
| AES-only encryption | Disable RC4 | Tightens encryption requirements |
| Short ticket lifetimes | Reduce maximum TGT lifetime | Limits usability of stolen tickets |
Monitoring
Essential Event IDs for Kerberos detection:
| Event ID | Source | What it detects |
|---|---|---|
| 4768 | DC Security Log | AS-REQ (TGT request) |
| 4769 | DC Security Log | TGS-REQ (Service Ticket request) |
| 4770 | DC Security Log | TGT renewal |
| 4771 | DC Security Log | Kerberos pre-auth failure |
| 4624 | Target Security Log | Logon event (Type 3 = network) |
| 5136 | DC Security Log | Directory Service Changes (ACL) |
Detection patterns:
Note: Many of these detections require advanced SIEM correlation. A single event is rarely suspicious -- it's the pattern that reveals the attack. And recognizing patterns requires knowing what to look for.
The cynical closing words
"Kerberos. A protocol from 1988. Nineteen eighty-eight! Reagan was president, the Berlin Wall was still standing, and nobody had a mobile phone. And this protocol protects the networks of the world's largest companies today.
Is it bad? No, it's brilliant. The problem is not the protocol -- the problem is the people who implement it. It's like giving a Stradivarius violin to someone who plays Twinkle Twinkle Little Star. The instrument is not the problem.
Look at Kerberoasting. The intention is that service accounts have strong passwords. But no, someone creates an account with the password 'Winter2019!' and that account is still running five years later, on a production server, with Domain Admin privileges. Why? Because nobody is responsible. The person who created the account has left. The person managing the server doesn't know the account exists. And the person doing security doesn't have the budget to do anything about it.
And then there's Unconstrained Delegation. 'Let's give this server the right to act on behalf of everyone. Everyone. Without restriction. What could go wrong?' That's like giving an employee the company credit card and saying: 'Here, use it for whatever you want.' And three months later you wonder why there's a subscription to six streaming services and an order for three hundred pool noodles.
But the best part? The very best part is the Golden Ticket. You steal a hash -- not even a password, a hash -- and you have access to everything forever. Not to a server. Not to an application. To everything. And the only way to stop it is to reset a password twice that nobody ever directly uses. The krbtgt account. An account without an inbox, without a desk chair, without a Christmas bonus -- but with the key to the entire kingdom.
You know, in real life this would be a national scandal. Imagine the government saying: 'There is a key that opens all government buildings, and if someone steals it, we can't change it.' Parliament would explode. But in IT? In IT we say: 'That's on the roadmap for Q3.' And Q3 becomes Q4. And Q4 becomes 'next year.' And next year becomes 'never.'
Kerberos is not the problem. We are the problem."
Kerberos Defense Tree
This tree shows the typical progression of a Kerberos attack: from a regular domain user account via credential harvesting and lateral movement to full domain compromise.
In practice, the path is rarely this linear. You combine techniques from Chapter 7 (ACL abuse, DCSync, MSSQL) with techniques from this chapter. BloodHound is your map and visualizes the risk paths.
Next chapter: we leave the Windows world and dive into the art of lateral movement -- how you hop from system to system like a digital parkour athlete, with techniques such as PSRemoting, WMI, DCOM, and more.
Further reading in the knowledge base
These articles in the portal provide more background and practical context:
- Firewalls — the bouncer that doesn't stop everything
- Network segmentation — why you shouldn't connect everything to everything
- DNS — the phone book that holds the internet together
- Logging and monitoring — the security cameras of your IT environment
- Zero Trust — trust no one, not even yourself
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
