Kerberos Unconstrained Delegation
Was ist Kerberos Unconstrained Delegation?
Kerberos Unconstrained DelegationAn Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.
Unconstrained delegation is the original Kerberos delegation mode in Active Directory. A computer or service account marked 'Trust this computer for delegation to any service' (the TRUSTED_FOR_DELEGATION user-account-control flag) receives the user's TGT inside the Kerberos service ticket as part of the standard double-hop sign-in. The service can then use that TGT to request service tickets for the user to any other service in the forest — there is no scoping. Attackers love this for two reasons. First, any user (including high-privilege accounts and even Domain Admins) who interacts with a compromised unconstrained-delegation host effectively donates their TGT to the attacker. Second, the 'Print Spooler bug' (and similar coerced-auth tricks like PetitPotam) can force domain controllers to authenticate to such a host, yielding the DC's TGT. Mitigations are categorical: never enable unconstrained delegation on new servers, migrate existing usage to constrained or resource-based constrained delegation, mark sensitive accounts as 'Account is sensitive and cannot be delegated', deploy Protected Users group membership for high-privilege users, and audit `userAccountControl` for the `TRUSTED_FOR_DELEGATION` flag.
● Beispiele
- 01
A red-team coerces a Domain Controller to authenticate to a compromised IIS server with unconstrained delegation, harvests the DC's TGT, and proceeds to a DCSync attack.
- 02
A blue-team sweep removes the TRUSTED_FOR_DELEGATION flag from all member servers and migrates a small set of legacy SQL servers to resource-based constrained delegation.
● Häufige Fragen
Was ist Kerberos Unconstrained Delegation?
An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise. Es gehört zur Kategorie Identität und Zugriff der Cybersicherheit.
Was bedeutet Kerberos Unconstrained Delegation?
An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.
Wie funktioniert Kerberos Unconstrained Delegation?
Unconstrained delegation is the original Kerberos delegation mode in Active Directory. A computer or service account marked 'Trust this computer for delegation to any service' (the TRUSTED_FOR_DELEGATION user-account-control flag) receives the user's TGT inside the Kerberos service ticket as part of the standard double-hop sign-in. The service can then use that TGT to request service tickets for the user to any other service in the forest — there is no scoping. Attackers love this for two reasons. First, any user (including high-privilege accounts and even Domain Admins) who interacts with a compromised unconstrained-delegation host effectively donates their TGT to the attacker. Second, the 'Print Spooler bug' (and similar coerced-auth tricks like PetitPotam) can force domain controllers to authenticate to such a host, yielding the DC's TGT. Mitigations are categorical: never enable unconstrained delegation on new servers, migrate existing usage to constrained or resource-based constrained delegation, mark sensitive accounts as 'Account is sensitive and cannot be delegated', deploy Protected Users group membership for high-privilege users, and audit `userAccountControl` for the `TRUSTED_FOR_DELEGATION` flag.
Wie schützt man sich gegen Kerberos Unconstrained Delegation?
Schutzmaßnahmen gegen Kerberos Unconstrained Delegation kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für Kerberos Unconstrained Delegation?
Übliche alternative Bezeichnungen: UD, Trust for delegation to any service.
● Verwandte Begriffe
- identity-access№ 652
Kerberos
Ticket-basiertes Netzwerk-Authentifizierungsprotokoll, das mit symmetrischer Kryptografie und einem vertrauenswürdigen Key Distribution Center sicheres Single Sign-On ermöglicht.
- identity-access№ 014
Active Directory
Unternehmens-Verzeichnisdienst von Microsoft für Windows-Netzwerke, der zentrale Authentifizierung, Autorisierung und Richtlinienverwaltung für Benutzer, Computer und Ressourcen bietet.
- identity-access№ 653
Kerberos Constrained Delegation
An Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured.
- attacks№ 651
Kerberoasting
Offline-Passwortangriff, der Kerberos-Service-Tickets fuer Dienstkonten anfordert und den verschluesselten Teil knackt, um deren Klartext-Passwoerter zu gewinnen.
- attacks№ 886
Pass-the-Ticket
Active-Directory-Angriff, der ein gestohlenes Kerberos-Ticket erneut nutzt, um sich als Benutzer oder Dienst auszugeben, ohne das Passwort zu kennen.
- attacks№ 836
NTLM-Relay-Angriff
Adversary-in-the-Middle-Angriff (MITRE T1557.001), bei dem ein Angreifer die NTLM-Authentifizierung eines Opfers an einen anderen Dienst weiterleitet, um es ohne Passwortkenntnis zu impersonieren.