Kerberos Unconstrained Delegation
Что такое Kerberos Unconstrained Delegation?
Kerberos Unconstrained DelegationAn Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.
Unconstrained delegation is the original Kerberos delegation mode in Active Directory. A computer or service account marked 'Trust this computer for delegation to any service' (the TRUSTED_FOR_DELEGATION user-account-control flag) receives the user's TGT inside the Kerberos service ticket as part of the standard double-hop sign-in. The service can then use that TGT to request service tickets for the user to any other service in the forest — there is no scoping. Attackers love this for two reasons. First, any user (including high-privilege accounts and even Domain Admins) who interacts with a compromised unconstrained-delegation host effectively donates their TGT to the attacker. Second, the 'Print Spooler bug' (and similar coerced-auth tricks like PetitPotam) can force domain controllers to authenticate to such a host, yielding the DC's TGT. Mitigations are categorical: never enable unconstrained delegation on new servers, migrate existing usage to constrained or resource-based constrained delegation, mark sensitive accounts as 'Account is sensitive and cannot be delegated', deploy Protected Users group membership for high-privilege users, and audit `userAccountControl` for the `TRUSTED_FOR_DELEGATION` flag.
● Примеры
- 01
A red-team coerces a Domain Controller to authenticate to a compromised IIS server with unconstrained delegation, harvests the DC's TGT, and proceeds to a DCSync attack.
- 02
A blue-team sweep removes the TRUSTED_FOR_DELEGATION flag from all member servers and migrates a small set of legacy SQL servers to resource-based constrained delegation.
● Частые вопросы
Что такое Kerberos Unconstrained Delegation?
An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise. Относится к категории Идентификация и доступ в кибербезопасности.
Что означает Kerberos Unconstrained Delegation?
An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.
Как работает Kerberos Unconstrained Delegation?
Unconstrained delegation is the original Kerberos delegation mode in Active Directory. A computer or service account marked 'Trust this computer for delegation to any service' (the TRUSTED_FOR_DELEGATION user-account-control flag) receives the user's TGT inside the Kerberos service ticket as part of the standard double-hop sign-in. The service can then use that TGT to request service tickets for the user to any other service in the forest — there is no scoping. Attackers love this for two reasons. First, any user (including high-privilege accounts and even Domain Admins) who interacts with a compromised unconstrained-delegation host effectively donates their TGT to the attacker. Second, the 'Print Spooler bug' (and similar coerced-auth tricks like PetitPotam) can force domain controllers to authenticate to such a host, yielding the DC's TGT. Mitigations are categorical: never enable unconstrained delegation on new servers, migrate existing usage to constrained or resource-based constrained delegation, mark sensitive accounts as 'Account is sensitive and cannot be delegated', deploy Protected Users group membership for high-privilege users, and audit `userAccountControl` for the `TRUSTED_FOR_DELEGATION` flag.
Как защититься от Kerberos Unconstrained Delegation?
Защита от Kerberos Unconstrained Delegation обычно сочетает технические меры и операционные практики, как описано в определении выше.
Какие есть другие названия Kerberos Unconstrained Delegation?
Распространённые альтернативные названия: UD, Trust for delegation to any service.
● Связанные термины
- identity-access№ 652
Kerberos
Сетевой протокол аутентификации на основе билетов, использующий симметричную криптографию и доверенный центр распределения ключей для безопасного единого входа.
- identity-access№ 014
Active Directory
Корпоративная служба каталогов Microsoft для сетей Windows, обеспечивающая централизованную аутентификацию, авторизацию и управление политиками для пользователей, компьютеров и ресурсов.
- identity-access№ 653
Kerberos Constrained Delegation
An Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured.
- attacks№ 651
Kerberoasting
Оффлайн-атака на пароли: запрос Kerberos-билетов служб для сервисных учёток и взлом их зашифрованной части для восстановления паролей в открытом виде.
- attacks№ 886
Pass-the-Ticket
Атака на Active Directory: повторное использование украденного Kerberos-билета для имперсонации пользователя или службы без знания пароля.
- attacks№ 836
Атака NTLM Relay
Атака «человек посередине» (MITRE T1557.001), в которой злоумышленник пересылает NTLM-аутентификацию жертвы другому сервису и выдаёт себя за неё, не зная пароля.