KRBTGT Account Password Reset – Security risk or operational risk?

February 15, 2018

no comments


KRBTGT known as Key Distribution Center Service Account object whose Responsible for the service core of Active Directory.

Now days we expose to so many cyber-attacks which include query and manipulation on KRBTGT user.


Pretty popular attack is golden ticket.

Once an attacker has gained access to the KRBTGT account password hash,

The attacker can create Golden Tickets.

It is important to understand that any existing Golden Tickets will no longer be validate for use after changing the KRBTGT password twice rapidly.

What would cause a lack of use existing tickets and removes the attacker ability to create valid Golden Tickets with their KRBTGT.



KRBTGT Account Password Reset is a very painful procedure but Must be done.

There are other reasons why we need to reset/change KRBTGT password:

  • Forest Recovery
  • Flip to domain functional mode.
  • Checking for replication on KRBTGT – if not equal on all DCS. (Comparison across pwdLastSet attribute)




How often we need to reset KRBTGT user’s password to prevent from attacker to use our hashes?

planning our infrastructure domain with security aspects, Requires of us an understanding that KRBTGT need to be manage by 2 branches:

1. System Administrators for any domain / forest operations.

2. Security Administrators to prevent creating golden tickets & other identity theft credentials usages.


The 2 branches above need to be consider and implemented, there is risks in both sides.



Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>