Creating a Ticket Expiration Policy
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
It is important to establish reasonable lifetimes for tickets in your organization. Ticket lifetimes must be short enough to prevent attackers from cracking the cryptography that protects the ticket’s stored credentials. However, ticket lifetimes must also be long enough to be convenient for users and to ensure that requests for new tickets do not overload the network.
Creating a ticket expiration policy involves setting the following options in the Default Domain Group Policy object.
Maximum lifetime for user ticket
This setting indicates the amount of time for which a ticket is valid before it expires. Generally, it is best if the Maximum Lifetime for User Ticket setting reflects the average amount of time that users access their computers in one day. This is set to 10 hours in the Default Domain Group Policy object. At the end of the ticket lifetime, the user either obtains a new ticket or renews the existing ticket. This process is performed transparently by the computer, but each ticket request or renewal produces network traffic and domain controller loading.
A short maximum ticket lifetime provides greater security but also increases network traffic. A long maximum ticket lifetime decreases network traffic but does not provide the same level of security.
Maximum lifetime for service ticket
This setting usually matches the established user ticket lifetime. It might be shorter, however, if there is a need in your organization for secure authentication to services beyond what is required for user authentication. It might be longer if users require uninterrupted access to services for long periods of time. For example, you might need to extend the ticket lifetime if your users run jobs that have a duration that is longer than the duration of the user ticket lifetime. If you do not have any special requirements for service ticket lifetime, do not extend the lifetime of the ticket.
The maximum service ticket lifetime must be greater than 10 minutes and less than or equal to the Maximum Lifetime for User Ticket setting. By default, this value is set to 600 minutes (10 hours) in the Default Domain Group Policy object (GPO). Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires before the operation is complete.
Maximum lifetime for user ticket renewal
This setting determines the period of time (in days) during which a user’s ticket-granting ticket (TGT) can be renewed. By default, this is set to seven days in the Default Domain GPO. Shorter renewal times make it easier to require users to reauthenticate in the event that you suspect that there has been a security breach. An attacker with a renewable user ticket can continue to renew that ticket for as long as the policy allows. Shortening renewal times makes an attacker’s task more difficult, but it also increases the authentication load on domain controllers.