| VID |
28337 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
A user or group with the 'Enable computer and user accounts to be trusted for delegation' privilege is detected. 'Enable computer and user accounts to be trusted for delegation' allows the user to change the Trusted for Delegation setting on a user or computer in Active Directory. This right is normally only granted to Administrators by default in a Windows 2000 domain, and is not normally granted to any user or group by default in a Windows 2000 Professional and Windows 2000 Server.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/appxb.asp
* Platforms Affected:
Windows Any version |
| Recommendation |
Check user rights for the 'Enable computer and user accounts to be trusted for delegation', and remove any names disallowed by your security policy.
To audit and revoke this privilege:
For a Windows 2000 domain:
1. Start Microsoft Management Console (mmc). From the Windows Start menu, select Run, type mmc, and click OK.
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, and User Rights Assignment.
6. Set the user right to desired setting according to your administration policy.
For a stand-alone Windows 2000 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment and Enable computer and user accounts to be trusted for delegation.
3. Set the user right to desired setting according to your administration policy.
For Windows XP, 2003, 7, 2008, 8, 2012, 10, 2016, 2019 computer:
1. On the affected computer, start gpedit.msc. From the Windows Start menu, select Run, type gpedit.msc, and click OK. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment and Enable computer and user accounts to be trusted for delegation.
3. Set the user right to desired setting according to your administration policy. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
3864 (ISS) |
|
