Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-243478 | AD.0018 | SV-243478r959010_rule | CCI-000366 | medium |
| Description | ||||
| Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific services and accounts required. | ||||
| STIG | Date | |||
| Active Directory Domain Security Technical Implementation Guide | 2024-09-13 | |||
Details
Check Text (C-243478r959010_chk)
Open "Windows PowerShell" on a domain controller.
Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID".
If any computers are returned, this is a finding.
(TrustedForDelegation equaling True indicates unconstrained delegation.)
PrimaryGroupID 515 = Domain computers (excludes DCs)
TrustedForDelegation = Unconstrained Delegation
TrustedToAuthForDelegation = Constrained delegation
ServicePrincipalName = Service Names
Description = Computer Description
Fix Text (F-46710r723468_fix)
Remove unconstrained delegation from computers in the domain.
Select "Properties" for the computer object.
Select the "Delegation" tab.
De-select "Trust this computer for delegation to any service (Kerberos only)"
Configured constrained delegation for specific services where required.