How can organizations defend against Kerberoasting attacks?

Defenses include using strong, complex passwords for service accounts, regularly rotating them, and avoiding the use of high-privileged domain user accounts for services. Additionally, enabling AES encryption for Kerberos tickets (instead of RC4) makes cracking harder, and monitoring for unusual TGS requests can detect ongoing attacks. For related defensive measures, see Domain Penetration - Implementation of Pass The Hash and Penetration Techniques - Remote Registry in Windows.