Kerberos Constrained Delegation
User Account
Prerequisites
Hunting for user accounts that have kerberos-constrained delegation enabled:
In the below screenshot, the user spot
is allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01.
User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION
in order for it to be able to authenticate to the remote service.
TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
Mitigation
To mitigate against the abuse of delegated accounts, we can ensure that the privileged accounts are configured to “Account is sensitive and cannot be delegated” within the Active Directory or added to the Protected User group to prevent delegation.
If delegation is needed for specific accounts, they should be secured with firewall rules that only serve the purpose and delegation to the required service and limit any other privileged access that might not be necessary.
Also, ensure the delegated accounts use strong passwords to protect them against attacks like Kerberoasting.
📚$_References
Last updated