Content - 592166b986a336c8747db131a6386f365fc5d7a0 - 4dca8ab/scapolite/V-73777/SV-88441.md

SV-88441.md
---
scapolite:
    class: rule
    version: '0.51'
id: SV-88441
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The Enable computer and user accounts to be trusted for delegation user right
    must only be assigned to the Administrators group on domain controllers.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: medium
implementations:
  - relative_id: F-80227r1
    description: <see below>
    automations:
      - system: org.scapolite.implementation.win_gpo
        ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Local
            Policies\User Rights Assignment\Enable computer and user accounts to be
            trusted for delegation
        value:
          - Administrators
        verification_status: Checked.
      - system: org.scapolite.implementation.win_secedit
        setting_name: SeEnableDelegationPrivilege
        section: Privilege Rights
        value:
          - '*S-1-5-32-544'
checks:
  - relative_id: C-73859r1
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1170
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-002235
    relation: ''
  - system: http://cce.mitre.org
    idref: CCE-47308-2
    relation: ''
history:
  - version: r1
    action: created
    description: WN16-DC-000420
    internal_comment: ''
---


## /rule

The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.

The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could allow unauthorized users to impersonate other users.

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to include only the following accounts or groups:

- Administrators

## /checks/0/description

This applies to domain controllers. A separate version applies to other systems.

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding.

- Administrators

## /checks/1/description

IASE supplies an OVAL check.