Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Delegation

Response

Delegation response focuses on removing dangerous delegation settings, reducing who can create service principals, protecting privileged users from delegation, and monitoring S4U and RBCD writes.

Inventory delegation

Get-ADObject -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' -Properties ServicePrincipalName,UserAccountControl,dNSHostName
Get-ADObject -LDAPFilter '(msDS-AllowedToDelegateTo=*)' -Properties msDS-AllowedToDelegateTo,ServicePrincipalName,dNSHostName,UserAccountControl
Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,dNSHostName

Disable unconstrained delegation on a computer

Set-ADAccountControl -Identity TARGET01$ -TrustedForDelegation $false

Remove traditional constrained delegation

Set-ADObject -Identity "CN=svc_delegate,CN=Users,DC=ootw,DC=local" -Clear msDS-AllowedToDelegateTo
Set-ADAccountControl -Identity svc_delegate -TrustedToAuthForDelegation $false

Remove RBCD from a target

Set-ADComputer -Identity TARGET01 -Clear msDS-AllowedToActOnBehalfOfOtherIdentity

Set machine account quota to zero

Set-ADDomain -Identity ootw.local -Replace @{'ms-DS-MachineAccountQuota'=0}

Protect privileged accounts

Set-ADAccountControl -Identity Administrator -AccountNotDelegated $true
Add-ADGroupMember -Identity "Protected Users" -Members Administrator

Monitoring targets

5136  Directory object modified, especially msDS-AllowedToActOnBehalfOfOtherIdentity and msDS-AllowedToDelegateTo
4741  Computer account created
4742  Computer account changed
4769  Service ticket requested, useful for S4U and unusual service-class activity
4624  Network logon using delegated credentials
4670  Permissions on an object changed

High-signal changes

New machine accounts created by normal users.
RBCD attribute added to servers or domain controllers.
Constrained delegation added to user-owned service accounts.
Unconstrained delegation enabled on non-DC servers.
Privileged users authenticating to unconstrained delegation hosts.
Service tickets where the requested service does not match normal application behavior.

Hardening

Remove unconstrained delegation from all non-DC systems.
Use constrained delegation only for explicit SPNs that are required.
Prefer gMSA-backed service designs where possible.
Set privileged users to Account is sensitive and cannot be delegated.
Use the Protected Users group for high-value accounts where operationally possible.
Set MachineAccountQuota to 0 unless self-service machine joins are required.
Monitor and review write access to computer objects.
Require LDAP signing and channel binding to reduce relay paths into RBCD.