An error occurred:

Check: AD.0005

Active Directory Domain STIG: AD.0005 (in versions v3 r5 through v2 r8)

Title

Delegation of privileged accounts must be prohibited. (Cat I impact)

Discussion

Privileged accounts such as those belonging to any of the administrator groups must not be trusted for delegation. Allowing privileged accounts to be trusted for delegation provides a means for privilege escalation from a compromised system.

Check Content

Review the properties of all privileged accounts in Active Directory Users and Computers. Under the Account tab, verify "Account is sensitive and cannot be delegated" is selected in the Account Options section. If delegation is not prohibited for any privileged account, this is a finding.

Fix Text

Open Active Directory Users and Computers. View the properties of all privileged accounts. Under the Account tab, select "Account is sensitive and cannot be delegated" in the Account Options section.

Additional Identifiers

Rule ID: SV-243470r959010_rule

Vulnerability ID: V-243470

Group Title: SRG-OS-000480

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings