74.16 (L1) Ensure 'Enable Delegation' is set to 'No One'

Information

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

The recommended state for this setting is: No One

Note: This user right is considered a 'sensitive privilege' for the purposes of auditing.

Misuse of the Enable computer and user accounts to be trusted for delegation user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to (<![CDATA[]]>) which equals No One

User Rights\Enable Delegation

Note: Using (<![CDATA[]]>) to represent a blank value or No One is recommended by Microsoft. However, there is a known issue where an error occurs in Endpoint Manger (Intune) but does not affect the policy setting from being applied to the system properly.

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16853