V-243478
CAT IIDomain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 0
- Closed
- 1
Check Text
Open "Windows PowerShell" on a domain controller.
Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID".
If any computers are returned, this is a finding.
(TrustedForDelegation equaling True indicates unconstrained delegation.)
PrimaryGroupID 515 = Domain computers (excludes DCs)
TrustedForDelegation = Unconstrained Delegation
TrustedToAuthForDelegation = Constrained delegation
ServicePrincipalName = Service Names
Description = Computer Description
Fix Text
Remove unconstrained delegation from computers in the domain.
Select "Properties" for the computer object.
Select the "Delegation" tab.
De-select "Trust this computer for delegation to any service (Kerberos only)"
Configured constrained delegation for specific services where required.
STIG Reference
- STIG
- Active Directory Domain Security Technical Implementation Guide
- Version
- 3
- Release
- 7
- Rule ID
- SV-243478r959010_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl | Unassigned | 2026-01-14T12:57:36.435963 | View in Context |