Security Assessment: Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated"
This recommendation lists all privileged accounts that lack the "account is sensitive and cannot be delegated" flag. Privileged accounts are accounts that are being members of a privileged group such as Domain admins, Schema admins, Read only domain controllers and so on.
Organization risk
If the sensitive flag is disabled, attackers could exploit Kerberos delegation to misuse privileged account credentials, leading to unauthorized access, lateral movement, and potential network-wide security breaches. Setting the sensitive flag on privileged accounts will prevent users from gaining access to the account and manipulating system settings.
Remediation steps
Review the list of exposed entities to discover which of your privileged accounts don’t have the configuration flag "this account is sensitive and cannot be delegated".
Take appropriate action on those accounts:
For user accounts: by setting the account's control flags to "this account is sensitive and cannot be delegated". Under the Account tab, select the check box to this flag in the Account Options section. This will prevent users from gaining access to the account and manipulating system settings.
For device accounts:
The safest approach is to use a PowerShell script to configure the device to prevent it from being used in any delegation scenario, ensuring that credentials on this machine cannot be forwarded to access other services.$name = "ComputerA" Get-ADComputer -Identity $name | Set-ADAccountControl -AccountNotDelegated:$trueAnother option is to set the
UserAccountControlattribute toNOT_DELEGATED = 0x100000under the Attribute Editor tab for the exposed device.
For example:
It’s important to verify that the exposed computer does not require any delegation capabilities before changing the configuration.