Remove SPNs and Fix Kerberoasting
This article covers defensive remediation of Kerberoasting in Active Directory environments. Kerberoasting abuses standard Kerberos behavior: any authenticated domain user can request a service ticket (ST) encrypted with the target service account’s NTLM hash, enabling offline cracking when SPNs are assigned to user accounts (not computer accounts, which use 120-char random passwords). The guide walks through auditing SPN usage via Event ID 4769 (Kerberos service ticket requests), safely removing unused SPNs via setspn or ADUC, and enumerating all user-account SPNs with PowerShell. As an alternative to removal, setting long randomly-generated service account passwords renders cracking computationally infeasible, while least-privilege reduces blast radius if a hash is ever cracked.