cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enable Unconstrained Kerberos Delegation

Deleted
Not applicable

‎Jul 22 2019 10:28 PM

‎Jul 22 2019 10:28 PM

Enable Unconstrained Kerberos Delegation

Hi there,

 

By default the group ''Account Operators'' is often used, despite that Microsoft recommend it to keep it empty, but this group has wide permissions in the domain. All the users in Account Operators could enable the Unconstrained Kerberos Delegation on servers, because they are granted the GenericAll permission on these computer objects.

 

I tried to find some additional information about it to see if ATA picks this up. I couldn't find it, but there could be a chance that I just overlooked it. So I was wondering if you guys would detect, when someone decided to turn this setting on?

 

unconstrained.png

 

Here is the event log that will be generated.

 

4742.png

 

enabled.png

 

2,827 Views
0 Likes
5 Replies
Reply
5 Replies
Eli Ofek

‎Jul 22 2019 11:47 PM

‎Jul 22 2019 11:47 PM

Re: Enable Unconstrained Kerberos Delegation

@Deleted , as far as I know there is no such detection.

@Tali Ash , Can you confirm?

 

you can find a list of alert types in this link:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide

This is updated from time to time when we add more detections.

0 Likes
Reply

‎Jul 22 2019 11:48 PM

‎Jul 22 2019 11:48 PM

Re: Enable Unconstrained Kerberos Delegation

@Eli OfekDo you consider to add this detection rule to it?

0 Likes
Reply
Eli Ofek

‎Jul 22 2019 11:52 PM

‎Jul 22 2019 11:52 PM

Re: Enable Unconstrained Kerberos Delegation

I will let @Tali Ash  comment on that as this is a product decision, and she might know if this is somewhere in the roadmap.

0 Likes
Reply
Tali Ash

‎Jul 22 2019 11:55 PM

‎Jul 22 2019 11:55 PM

Re: Enable Unconstrained Kerberos Delegation

@Or Tsemah Can you please share with @Deleted the relevant identity security posture reports?

Huy, what you are suggesting is covered by reports and not alerts, as it is more relevant for dangerous configurations in the environment,

0 Likes
Reply
Or Tsemah

‎Jul 23 2019 12:14 AM

‎Jul 23 2019 12:14 AM

Re: Enable Unconstrained Kerberos Delegation

@Deleted I can confirm that this feature (Exposing which entity has an unsecure kerberos delegation such as Unconstrained or some variations of constrained\resource based delegations) is in private preview and i hope to share some information about its release soon.

If you would like to know more, you can contact me directly.

0 Likes
Reply