Details
This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.
The recommended state for this setting is: No One.
Note: This user right is considered a ‘sensitive privilege’ for the purposes of auditing.
Rationale:
Misuse of the Enable computer and user accounts to be trusted for delegation user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident.
Impact:
None – this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to No One
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation
Default Value:
No one.
Additional Information:
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205748
Rule ID: SV-205748r569188_rule
STIG ID: WN19-MS-000130
Severity: CAT II
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.