AD Starter Scan - Unconstrained delegation

high Nessus Plugin ID 150485
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

Dangerous Kerberos delegation set.

Description

Kerberos, the protocol at the core of Active Directory security, allows certain servers to obtain a user's credentials and use those to authenticate on behalf of the user.

When a user authenticates on a server that is Trusted for delegation, a copy of the user's credentials is sent to the server by the domain controller. These credentials can then be used to authenticate on behalf of the user.

If an attacker is able to compromise such a server, they will be able to steal and reuse the credentials of all the users authenticating on this particular server. If an administrator connects to the compromised machine, the attacker will be able to escalate their privileges and become an administrator as well. As a consequence, the Trusted for delegation property should only be allowed on trusted servers such as domain controllers. This mechanism is called unconstrained delegation.

Note: This plugin is part of the Active Directory Starter Scan Template and is meant to be used for preliminary analysis of AD hosts. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

The only accounts using unconstrained delegation should be the domain controller accounts. Administrators should also be protected against any dangerous delegation type:
- by being members of the 'Protected Users' group, or
- by setting the 'Account is sensitive and cannot be delegated' flag on the user accounts

See Also

https://adsecurity.org/?p=1667

http://www.nessus.org/u?c3b56c92

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: High

ID: 150485

File Name: adsi_kerberos_deleg.nbin

Version: 1.10

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 9/20/2021

Dependencies: adsi_enum.nbin

Risk Information

CVSS Score Source: manual

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: High

Base Score: 7.4

Vector: AV:A/AC:M/Au:S/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7.1

Vector: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: Secret/adsi/username/0, Secret/adsi/password/0, adsi/host/0, adsi/domain/0, adsi_enum_computer_objects/available