Using the Axonius Cybersecurity Asset Management Platform to Find Machines Trusted for Delegation.


This policy setting determines which users can set the Trusted for Delegation setting on a computer object. Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation. Only administrators who have the Enable computer and user accounts to be trusted for delegation credential can set up delegation. Domain admins and Enterprise admins have this credential. The procedure to allow a user to be trusted for delegation depends on the functionality level of the domain.

Security Considerations

From Microsoft

Misuse of the Enable computer and user accounts to be trusted for delegation user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident.

Finding Devices in AD Trusted for Delegation

In the Axonius Cybersecurity Asset Management Platform, the following query will return all devices with trusted for delegation access rights:

adapters_data.active_directory_adapter.device_disabled == false and adapters_data.active_directory_adapter.ad_delegation_policy == "Trust For Delegation To Specified Services"

Here it is in action: