Q: Why is it important to reset the password of the KRBTGT Active Directory (AD) account when a domain controller (DC) is compromised?
A: In case you aren't familiar with the KRBTGT account, the following briefly summarizes what it is used for. Kerberos authentication (the default Windows authentication protocol since Windows 2000) uses session tickets that are encrypted with a symmetric key derived from the password of the service a user or computer wants to access. To request a session ticket, a user or computer must present a special ticket, called the Ticket Granting Ticket (TGT), to the Kerberos Key Distribution Center (KDC). (In Windows, the KDC service runs on every DC.) The TGT is encrypted with a key that's derived from the password of the KRBTGT account, which is known only by the KDC service.
If a DC has been compromised, it's possible that the KRBTGT password hash has been stolen and is being used by a hacker to obtain access to other domain and forest data. There are hacker tools available (e.g., mimikatz) that allow using the password hash stored in the KRBTGT account to generate arbitrary but valid Kerberos tickets.
To reset the KRBTGT account's password, you can use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. To do so, open the snap-in, navigate to the Users organizational unit (OU), and locate the KRBTGT account. Right-click the account and click Reset Password. Finally, leave the User must change password at next logon option unchecked, enter the new password twice, and click OK.
It's also a best practice to reset the KRBTGT user account password twice. This is because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the history and you invalidate possible malicious Kerberos tickets that have been protected using the previous passwords.
