64f28abd-921c-4d04-b2c0-f047d20d673e
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could allow unauthorized users to impersonate other users.
To fix this configure the policy value for:
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ User Rights Assignment
|_ "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank).
Stig:
Server:
2022: https://www.stigviewer.com/stig/microsoft_windows_server_2022/2024-06-14/finding/V-254440
2019: https://www.stigviewer.com/stig/microsoft_windows_server_2019/2024-06-14/finding/V-205748 / https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93047
2016: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2024-02-21/finding/V-225020 / https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73777
Desktop:
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2024-06-10/finding/V-253496
W10: https://www.stigviewer.com/stig/microsoft_windows_10/2024-06-13/finding/V-220973 / https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220973
NIST 800-53: AC-6(7)(b)
NIST 800-171 rev3 FPO: 3.1.1.g.3, 3.1.5.c, 3.1.5.d
NIST 800-171 rev3: 03.01.01.g.03, 03.01.05.c, 03.01.05.d, 03.10.01.c, 03.10.01.d
NIST 800-171A rev3: A.03.01.05.ODP[03], A.03.01.05.c, A.03.01.05.d
CAT: II
CCI: CCI-002235
CSCv6: 5.1
PCI-DSS v4: 7.2.4, 7.2.5.1, A3.4.1