CCE-98671-1
This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Caution Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. Default: Administrators on domain controllers Countermeasure: The Enable computer and user accounts to be trusted for delegation user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. Note: There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts; it is only relevant on domain controllers and stand-alone computers. Potential Impact: None. This is the default configuration. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation (2) REG: ### (3) WMI: root sopcomputer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeEnableDelegationPrivilege' and precedence=1 Parameter:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
30479 |
 |
423868 |
 |
249461 |
 |
909 |
 |
195508 |
 |
282 |
