SV-88441.md
---
scapolite:
class: rule
version: '0.51'
id: SV-88441
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The Enable computer and user accounts to be trusted for delegation user right
must only be assigned to the Administrators group on domain controllers.
rule: <see below>
description: <see below>
applicability:
- system: org.scapolite.xccdf.applicability
weight: 10.0
selected: false
role: ''
severity: medium
implementations:
- relative_id: F-80227r1
description: <see below>
automations:
- system: org.scapolite.implementation.win_gpo
ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Enable computer and user accounts to be
trusted for delegation
value:
- Administrators
verification_status: Checked.
- system: org.scapolite.implementation.win_secedit
setting_name: SeEnableDelegationPrivilege
section: Privilege Rights
value:
- '*S-1-5-32-544'
checks:
- relative_id: C-73859r1
description: <see below>
- relative_id: '01'
title: OVAL-based check
description: <see below>
automations:
- system: http://oval.mitre.org/XMLSchema/oval-definitions-5
idref: oval:mil.disa.stig.windows:def:1170
href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
- system: http://iase.disa.mil/cci
idref: CCI-002235
relation: ''
- system: http://cce.mitre.org
idref: CCE-47308-2
relation: ''
history:
- version: r1
action: created
description: WN16-DC-000420
internal_comment: ''
---
## /rule
The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
## /description
[**VulnDiscussion**]{.separator type='STIG'}
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could allow unauthorized users to impersonate other users.
[**Documentable**]{.separator type='STIG'}
false
## /implementations/0/description
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to include only the following accounts or groups:
- Administrators
## /checks/0/description
This applies to domain controllers. A separate version applies to other systems.
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding.
- Administrators
## /checks/1/description
IASE supplies an OVAL check.