Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
Kerberos is not capable of preventing replay attacks.
True
False
To prevent replay attacks, Kerberos uses the concept of timestamps. The use of timestamps does not completely prevent replay attacks. This question isn't definitive. ** I would change the question to read Kerberos can prevent replay attacks - T/F** and make it true == explanation would read while it can prevent replay attacks because of the time stamp, it does not completely stop or eliminate.**
A replay attack occurs when an intruder steals a packet from the network and forwards that packet to a service or application as if the intruder was the user who originally sent the packet. When the packet is an authentication packet, the intruder can use the replay attack to authenticate on another person's behalf and consequently access that person's resources or data.
To protect against replay attacks, the Kerberos authentication protocol uses the concept of an authenticator. A Kerberos authenticator is embedded in the Kerberos protocol exchanges that occur between the authenticating client and the authentication server (in Windows, the domain controller—DC). It holds additional authentication data, such as the ticket lifetime, and most important, the client's timestamp. When the Kerberos logic on a DC or resource server validates a Kerberos authentication message, it will always check the authenticator's timestamp. If the timestamp is earlier or the same as a previous authenticator, the server-side Kerberos logic will reject the packet because it considers it part of a replay attack and user authentication will fail. The Kerberos server-side logic also compares the timestamp in the authenticator to the local server time. If the timestamp in the authenticator isn't within five minutes of the time on the server, it will also reject the packet. These five minutes are referred to as the Kerberos time skew. In Windows, the time skew defaults to five, but you can change this value if desired. To do so, you use the Maximum tolerance for computer clock synchronization Group Policy Object (GPO) setting located in the GPO folder Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.
All this explains why it has become very important to keep the computer clocks synchronized in a Windows Active Directory (AD) forest, starting with Windows 2000 (when Kerberos became the default Windows authentication protocol). For that purpose, Windows includes the Windows Time service, which is crucial to the proper functioning of the Kerberos authentication services. To keep the system clocks on all computers in a Windows domain within five minutes, the Windows Time service uses the Network Time Protocol (NTP). OSs prior to Windows Server 2003 use the Simple Network Time Protocol (SNTP), which is the predecessor of NTP.
Train with Skillset and pass your certification exam. Faster. Guaranteed.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.