Re: Reset password on 'krbtgt' account?

From: Mark Gamache (mark.gamache_at_css-security.com)
Date: 02/03/05


Date: Wed, 2 Feb 2005 17:33:39 -0800

I'm actually dying to hear the official MS answer.

Here's mine. Don't touch it. It is the service account for you Kerberos
KDC. It is managed by AD. It is already a strong random password by
default.

Cheers,

-- 
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message 
news:%23V7PsCVCFHA.2572@tk2msftngp13.phx.gbl...
> We noticed that in our Child Domain (part of an Active Directory Forest), 
> that the 'krbtgt' account is Disabled.  Can we safely Reset the Password 
> on this account to something long and complex?
>
>
>
> 


Relevant Pages

  • Re: impersonation using kerberos
    ... and then finding out you can enable kerberos event logging.... ... and for the computer account contains ... This error appears on my SQL box ... KDC cannot accommodate requested option. ...
    (microsoft.public.win2000.active_directory)
  • RE: [Full-disclosure] Support_388945a0 account in Win XP/2003
    ... >> Also set very long random password and forget it. ... > But I heard a rumours that this account can be activated remotely ... Deleting it might cause problems "help and support" ... just deny the account all kinds of privs and it would no longer matter. ...
    (Full-Disclosure)
  • Re: Running Kerberos as a different user than root
    ... Kerberos KDC administrator could just change the password of one of the ... They can silently compromise the account ...
    (comp.protocols.kerberos)
  • Re: [Full-disclosure] Support_388945a0 account in Win XP/2003
    ... Also set very long random password and forget it. ... But I heard a rumours that this account can be activated remotely without user's aware decision and used for Remote Assistance. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: SSH ignores locked accounts
    ... >> locking the account. ... or can't for some reason, you could set a random password, not tell ... Good judgement comes with experience. ...
    (comp.security.ssh)