Sign in Subscribe
Concepts

Kerberos Zero Standing Privilege: Eliminating Permanent Admin Accounts for Stronger Security

Andrios Robert

1 min read

Kerberos Zero Standing Privilege is the practice of eliminating permanent privileged accounts in Kerberos-based authentication. Instead of accounts with ongoing elevated rights, privileges are granted only when needed, and revoked immediately after use. This reduces the window for compromise to minutes, not months.

Standing privileges are dangerous because Kerberos tickets can be stolen and reused. Golden Ticket attacks exploit ticket-granting tickets (TGTs) tied to high-privilege accounts. If those accounts are always active, attackers have unlimited time to move laterally through the network. ZSP neutralizes this by ensuring privileged Kerberos credentials are ephemeral.

Implementing Kerberos ZSP involves integrating just-in-time privilege elevation with your Key Distribution Center (KDC). Service accounts and admin roles are created dynamically and destroyed after a task is complete. This requires automation tied to policy enforcement, so no manual clean-up is missed. Logs and audits confirm when and how privilege was granted, preventing stealthy persistence.

Kerberos ZSP also hardens against pass-the-ticket attacks. When privileged tickets do not exist outside of controlled workflows, attackers cannot replay them. This reduces reliance on periodic password rotations or ticket lifetimes alone, offering a stricter, event-based security perimeter.

Security teams should combine Kerberos ZSP with multi-factor authentication, strict KDC configuration, and real-time monitoring of ticket requests. Privileges should be issued through a secure broker that enforces identity verification before provisioning.

The benefits are clear: reduced attack surface, faster incident response, and compliance alignment with least privilege principles. Static accounts fade out. Ephemeral privileges become the norm.

Stop giving attackers a standing key to your systems. See Kerberos Zero Standing Privilege in action with hoop.dev and deploy it in minutes.