STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.

DISA Rule

SV-102373r1_rule

Vulnerability Number

V-92285

Group Title

AD.0018

Rule Version

AD.0018

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Remove unconstrained delegation from computers in the domain.

Select "Properties" for the computer object.

Select the "Delegation" tab.

De-select "Trust this computer for delegation to any service (Kerberos only)"

Configured constrained delegation for specific services where required.

Check Contents

Open "Windows PowerShell" on a domain controller.

Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID".

If any computers are returned, this is a finding.
(TrustedForDelegation equaling True indicates unconstrained delegation.)

PrimaryGroupID 515 = Domain computers (excludes DCs)
TrustedForDelegation = Unconstrained Delegation
TrustedToAuthForDelegation = Constrained delegation
ServicePrincipalName = Service Names
Description = Computer Description

Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments