CCE-98671-1Platform: cpe:/o:microsoft:windows_10 | Date: (C)2022-11-15 (M)2023-07-07 |
This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set.
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Caution
Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
Default: Administrators on domain controllers
Countermeasure:
The Enable computer and user accounts to be trusted for delegation user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do.
Note: There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts; it is only relevant on domain controllers and stand-alone computers.
Potential Impact:
None. This is the default configuration.
Fix:
(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation
(2) REG: ###
(3) WMI: root
sopcomputer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeEnableDelegationPrivilege' and precedence=1
Parameter:
[list_of_users_followed_by_comma]
Technical Mechanism:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeEnableDelegationPrivilege' and precedence=1
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.5 | Attack Vector: NETWORK |
Exploit Score: 1.8 | Attack Complexity: HIGH |
Impact Score: 6.0 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | Scope: CHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85555 |