Require Kerberos Pre-Authentication for User Accounts
All user accounts need extra verification when logging in for better security.
Plain language
This control means that every user account in the organisation needs to have extra verification when logging in, known as Kerberos pre-authentication. This matters because it adds a layer of security to prevent unauthorised access - imagine if someone could easily break into your email or work systems because your account doesn’t have enough protection.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
User accounts require Kerberos pre-authentication.
Why it matters
Without Kerberos pre-authentication, attackers can perform offline password guessing (AS-REP roasting), risking unauthorised access to sensitive data.
Operational notes
Enforce Kerberos pre-authentication on all user accounts and regularly audit AD/IdP settings to detect any accounts with pre-auth disabled.
Implementation tips
- IT team should configure Kerberos pre-authentication for all user accounts. This involves changing settings in your Active Directory, which is like a phonebook for your company’s computers and users, to require this extra step when someone logs in.
- Managers should ensure that the IT team has the resources and time to set up Kerberos pre-authentication. They can do this by scheduling regular check-ins to track progress and address any blockers.
- System owners should verify that Kerberos pre-authentication is activated by working with the IT team to conduct tests. They can do this by trying to log in with a test account and ensuring the system prompts for additional verification.
- IT team should communicate changes to employees to ensure they understand the new login process. They can create a simple guide explaining what the extra step will look like and why it’s important.
- System administrators should monitor and review Kerberos authentication logs regularly. This can be done by setting specific criteria in your monitoring tools, looking at who attempted to log in and from where.
Audit / evidence tips
-
Askthe Active Directory settings change report
Goodis a report showing that Kerberos pre-authentication is enabled for all accounts
-
Gooddemonstration shows the system requiring an additional verification step
-
Askthe logs from monitored authentication attempts
Goodlog reveals no unusual or unauthorised access occurrences
-
Goodplan includes emails, training sessions, and helpful guides explaining the changes
-
Askthe test results of the newly implemented pre-authentication process
Goodoutcome shows successful tests with no critical errors
Cross-framework mappings
How ISM-1836 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1836 requires Kerberos pre-authentication to be enforced for user accounts to strengthen authentication and prevent certain Kerberos-... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.