This is something worth mentioning. In the times of Pass-the-Hash credential theft, Golden Tickets and mitigating the risks around Kerberos authentication, Microsoft has released a very helpful script to automate things. The script resets the password of the krbtgt account. This in effect invalidates and reduces the lifetime of issued Kerberos tickets. This, in turn, mitigates the risks involved in a situation where a ticket is possibly compromised. This doesn’t prevent the attacker from gaining access to your domain again, so this is by no means any sort of all-in-one solution.
I tried this in my enterprise scale lab (2 DC’s, 5 servers, 3 clients :)) with no problems. Very helpful and a great chance to learn something. Go on, try it out. But be aware, in a production environment, make sure you know what you are doing. Otherwise, you might end up bringing your entire domain to its knees. There’s a Word document describing the usage, so make sure to read that. There’s also no harm in taking a peek in the actual script as it seems to have no rocket science in it.
Get the goods in the blog post by Tim Rains in the Cyber Trust Blog.