| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-243478 | CAT II | MONT-DC-003 | Active Directory Domain Security Technic... | Domain-joined systems (excluding domain controller... | - | |||
Check TextOpen "Windows PowerShell" on a domain controller. Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID". If any computers are returned, this is a finding. (TrustedForDelegation equaling True indicates unconstrained delegation.) PrimaryGroupID 515 = Domain computers (excludes DCs) TrustedForDelegation = Unconstrained Delegation TrustedToAuthForDelegation = Constrained delegation ServicePrincipalName = Service Names Description = Computer Description Fix TextRemove unconstrained delegation from computers in the domain. Select "Properties" for the computer object. Select the "Delegation" tab. De-select "Trust this computer for delegation to any service (Kerberos only)" Configured constrained delegation for specific services where required. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 55740C7819F0A0F534B0C85122BCAD1EB9746BE4 ~~~~~ No computers are Trusted for Delegation and have a Primary Group ID of '515'
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
Scan Date: 2026-01-14T12:57:36.435963
Technology Area: Domain Name System
|
||||||||