UCF STIG Viewer Logo

Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.


Overview

Finding ID Version Rule ID IA Controls Severity
V-92285 AD.0018 SV-102373r1_rule Medium
Description
Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific services and accounts required.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2019-03-21

Details

Check Text ( C-91557r1_chk )
Open "Windows PowerShell" on a domain controller.

Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID".

If any computers are returned, this is a finding.
(TrustedForDelegation equaling True indicates unconstrained delegation.)

PrimaryGroupID 515 = Domain computers (excludes DCs)
TrustedForDelegation = Unconstrained Delegation
TrustedToAuthForDelegation = Constrained delegation
ServicePrincipalName = Service Names
Description = Computer Description
Fix Text (F-98499r1_fix)
Remove unconstrained delegation from computers in the domain.

Select "Properties" for the computer object.

Select the "Delegation" tab.

De-select "Trust this computer for delegation to any service (Kerberos only)"

Configured constrained delegation for specific services where required.