Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-243478 | AD.0018 | SV-243478r723469_rule | Medium |
| Description |
|---|
| Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific services and accounts required. |
| STIG | Date |
|---|---|
| Active Directory Domain Security Technical Implementation Guide | 2024-02-26 |
Details
| Check Text ( C-46753r723467_chk ) |
|---|
| Open "Windows PowerShell" on a domain controller. Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID". If any computers are returned, this is a finding. (TrustedForDelegation equaling True indicates unconstrained delegation.) PrimaryGroupID 515 = Domain computers (excludes DCs) TrustedForDelegation = Unconstrained Delegation TrustedToAuthForDelegation = Constrained delegation ServicePrincipalName = Service Names Description = Computer Description |
| Fix Text (F-46710r723468_fix) |
|---|
| Remove unconstrained delegation from computers in the domain. Select "Properties" for the computer object. Select the "Delegation" tab. De-select "Trust this computer for delegation to any service (Kerberos only)" Configured constrained delegation for specific services where required. |