2.2.34 Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

The recommended state for this setting is: No One.

Note: This user right is considered a 'sensitive privilege' for the purposes of auditing.

Rationale:

Misuse of the Enable computer and user accounts to be trusted for delegation user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, configure the following UI path:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation




Default Value:

No one.

Additional Information:

This Benchmark Recommendation maps to:

Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 1, Release 13, Benchmark Date: May 15, 2020

Vul ID: V-73779
Rule ID: SV-88443r2_rule
STIG ID: WN16-MS-000420
Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2940