Regularly Change KRBTGT Credentials for Security
Change KRBTGT credentials twice annually or after a suspected domain compromise.
Plain language
This control is all about regularly updating the credentials for a special account called KRBTGT, which plays a key role in managing access in your computer network. Think of it as making sure your master key is changed regularly so that if someone unwanted gets hold of an older key, they can't use it forever. If you don't do this, intruders might keep accessing your systems undetected, leading to data leaks or costly downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Changing CredentialsOfficial control statement
Credentials for the Kerberos Key Distribution Center's service account (KRBTGT) are changed twice, allowing for replication to all Microsoft AD DS domain controllers in-between each change, if the domain has been directly compromised, the domain is suspected of being compromised or they have not been changed in the past 12 months.
Why it matters
If KRBTGT credentials aren’t changed, attackers can forge Kerberos tickets (Golden Ticket) and retain persistent domain admin access.
Operational notes
If the domain is compromised/suspected, reset KRBTGT twice, waiting for AD replication to all domain controllers between resets; otherwise rotate at least every 12 months.
Implementation tips
- The IT team should schedule the KRBTGT credential update twice a year. They can do this by setting reminders in their calendar and conducting the change systematically, ensuring all domain controllers are updated with the new credential to prevent any access issues.
- System administrators should monitor for any signs of suspicious activity or a potential breach. If any indications are found, they should promptly perform an additional KRBTGT credential update to limit any potential damage.
- The IT manager should develop a clear internal guideline document that outlines the process for changing the KRBTGT credentials. They should ensure that all relevant staff are familiar with this procedure through regular training sessions.
- The security team should review and test the credential update process in a controlled environment. They should simulate a breach to ensure that the response plan, including credential rotation, works effectively and doesn't inadvertently disrupt normal operations.
- Business owners should communicate the importance of this process to their staff, outlining potential impacts of a security breach. Helping non-technical staff understand the 'why' promotes cooperation and support during credential changes.
Audit / evidence tips
-
Askthe KRBTGT credential change log: Request documents that show when and how the KRBTGT credentials were changed
Goodshows at least two changes each year, clearly documented with dates and authorised by the IT manager
-
Askincident response reports: Specifically those following a security alert that prompted a KRBTGT change
Goodincludes timely rotations post-incident with a detailed explanation of actions taken and outcomes
-
Askthe internal IT guidelines on KRBTGT credential updates: Review the document for clarity on the process and roles involved
Goodis a clear, concise guide that aligns with the Australian Cyber Security Centre’s (ACSC) standards
-
Askto see training records for staff involved in credential rotation
Goodwill have attendance records and training materials from sessions conducted at least twice a year
-
Askevidence of environment testing: Request documentation of any test scenarios for credential update procedures
Goodshows regular testing with documented results and a process for implementing improvements
Cross-framework mappings
How ISM-1847 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1847 requires organisations to change the KRBTGT service account credentials twice (with replication between changes) when compromise... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.