Check: AD.0018
Active Directory Domain STIG:
AD.0018
(in versions v3 r5 through v2 r13)
Title
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation. (Cat II impact)
Discussion
Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific services and accounts required.
Check Content
Open "Windows PowerShell" on a domain controller. Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID". If any computers are returned, this is a finding. (TrustedForDelegation equaling True indicates unconstrained delegation.) PrimaryGroupID 515 = Domain computers (excludes DCs) TrustedForDelegation = Unconstrained Delegation TrustedToAuthForDelegation = Constrained delegation ServicePrincipalName = Service Names Description = Computer Description
Fix Text
Remove unconstrained delegation from computers in the domain. Select "Properties" for the computer object. Select the "Delegation" tab. De-select "Trust this computer for delegation to any service (Kerberos only)" Configured constrained delegation for specific services where required.
Additional Identifiers
Rule ID: SV-243478r959010_rule
Vulnerability ID: V-243478
Group Title: SRG-OS-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |