Active Directory Domain STIG Version Comparison
Active Directory Domain Security Technical Implementation Guide
Comparison
There are 6 differences between versions v2 r12 (Jan. 25, 2019) (the "left" version) and v3 r1 (Nov. 1, 2021) (the "right" version).
Check AD.0018 was added to the benchmark in the "right" version.
This check's original form is available here.
Text Differences
Title
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
Check Content
Open "Windows PowerShell" on a domain controller. Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID". If any computers are returned, this is a finding. (TrustedForDelegation equaling True indicates unconstrained delegation.) PrimaryGroupID 515 = Domain computers (excludes DCs) TrustedForDelegation = Unconstrained Delegation TrustedToAuthForDelegation = Constrained delegation ServicePrincipalName = Service Names Description = Computer Description
Discussion
Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific services and accounts required.
Fix
Remove unconstrained delegation from computers in the domain. Select "Properties" for the computer object. Select the "Delegation" tab. De-select "Trust this computer for delegation to any service (Kerberos only)" Configured constrained delegation for specific services where required.