| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-225006 | CAT II | MONT-VSF-004 | Microsoft Windows Server 2016 Security T... | The password for the krbtgt account on a domain mu... | - | |||
Check TextThis requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding. Fix TextReset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl
Scan Date: 2026-01-14T12:57:30.046447
Technology Area: Windows Operating System
|
||||||||
| V-225006 | CAT II | MONT-VSF-003 | Microsoft Windows Server 2016 Security T... | The password for the krbtgt account on a domain mu... | - | |||
Check TextThis requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding. Fix TextReset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl
Scan Date: 2026-01-14T12:57:31.534241
Technology Area: Windows Operating System
|
||||||||
| V-225006 | CAT II | MONT-MB-002 | Microsoft Windows Server 2016 Security T... | The password for the krbtgt account on a domain mu... | - | |||
Check TextThis requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding. Fix TextReset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl
Scan Date: 2026-01-14T12:57:33.842838
Technology Area: Windows Operating System
|
||||||||
| V-225006 | CAT II | MONT-DP-001 | Microsoft Windows Server 2016 Security T... | The password for the krbtgt account on a domain mu... | - | |||
Check TextThis requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding. Fix TextReset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl
Scan Date: 2026-01-14T12:57:35.637816
Technology Area: Windows Operating System
|
||||||||
| V-225006 | CAT II | MONT-DC-003 | Microsoft Windows Server 2016 Security T... | The password for the krbtgt account on a domain mu... | - | |||
Check TextThis requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding. Fix TextReset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A1B26E1C537A3E85A12A28DA9FDE737C46F6408D ~~~~~ Name: krbtgt SID: S-1-5-21-1360995287-4027491577-3040029667-502 PasswordLastSet: 10/16/2025 18:22:14 (6 days)
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl
Scan Date: 2026-01-14T12:57:37.248886
Technology Area: Windows Operating System
|
||||||||
| V-225006 | CAT II | MONT-DB-002 | Microsoft Windows Server 2016 Security T... | The password for the krbtgt account on a domain mu... | - | |||
Check TextThis requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding. Fix TextReset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl
Scan Date: 2026-01-14T12:57:39.082634
Technology Area: Windows Operating System
|
||||||||
| V-225006 | CAT II | MONT-BE-002 | Microsoft Windows Server 2016 Security T... | The password for the krbtgt account on a domain mu... | - | |||
Check TextThis requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding. Fix TextReset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl
Scan Date: 2026-01-14T12:57:41.363810
Technology Area: Windows Operating System
|
||||||||
| V-225006 | CAT II | MONT-AP-002 | Microsoft Windows Server 2016 Security T... | The password for the krbtgt account on a domain mu... | - | |||
Check TextThis requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding. Fix TextReset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl
Scan Date: 2026-01-14T12:57:42.721079
Technology Area: Windows Operating System
|
||||||||