2.2.22 Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory.

Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

- Level 1 - Domain Controller. The recommended state for this setting is: 'Administrators'.

- Level 1 - Member Server. The recommended state for this setting is: 'No One.'

Solution

To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation

See Also

https://workbench.cisecurity.org/files/1941