Allowed To Act

Description

The Source security principal is allowed to perform Kerberos Resource-Based Constrained Delegation on the Target computer. This means that it can impersonate any user when it authenticates with Kerberos to any service running on the Target computer.

Therefore, it often leads to a total compromise of the Target computer.

This attack is also known as Resource-Based Constrained Delegation (RBCD), Kerberos Resource-Based Constrained Delegation (KRBCD), Resource-Based Kerberos Constrained Delegation (RBKCD), and "allowed to act on behalf of other identity".

Exploitation

Attackers who compromise the Source security principal can use dedicated hacker tools such as Rubeus to exploit legitimate Kerberos protocol extensions (S4U2self and S4U2proxy) in order to forge Kerberos service tickets and impersonate the targeted user. Attackers will likely choose to impersonate a privileged user to obtain privileged access.

Once attackers forge the service ticket, they can use any native administration tool or specialized hacker tool compatible with Kerberos to execute remotely arbitrary commands.

A successful exploitation attempt must meet the following constraints:

  • The Source and Target security principals must have a ServicePrincipalName. Tenable Identity Exposure does not create this attack relation without this condition.

  • The account targeted for spoofing must neither be marked "is sensitive and cannot be delegated" (ADS_UF_NOT_DELEGATED in UserAccountControl) nor be a member of the "Protected Users" group because Active Directory protects such accounts from delegation attacks.

Remediation

If the Source security principal does not need permission to perform Kerberos Resource-Based Constrained Delegation (RBCD) on the Target computer, then you must remove it. You must make the modification on the Target side, as opposed to the "Allowed to delegate" delegation attack relation.

You cannot manage RBCD with existing graphical administration tools such as "Active Directory Users and Computers". You must instead use PowerShell to modify the content of the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

Use the following commands to list the Source security principals allowed to act on the Target (in the "Access:" section):

Copy
Get-ADComputer target -Properties msDS-AllowedToActOnBehalfOfOtherIdentity | Select-Object -ExpandProperty msDS-AllowedToActOnBehalfOfOtherIdentity | Format-List

If you do not want any of the listed security principals is desired, you can clear all of them with this command:

Copy
Set-ADComputer target -Clear "msDS-AllowedToActOnBehalfOfOtherIdentity"

If you only need to remove one security principal from the list, Microsoft unfortunately does not provide a direct command. You must overwrite the attribute with the same list minus the one to remove. For example, if "sourceA", "sourceB" and "sourceC" were all allowed and you want to remove just "sourceB", run:

Copy
Set-ADComputer target -PrincipalsAllowedToDelegateToAccount (Get-ADUser sourceA),(Get-ADUser sourceC)

Finally, as a general recommendation, in order to limit the exposure of sensitive privileged accounts to such delegation attacks, Tenable Identity Exposure recommends that you mark them as "is sensitive and cannot be delegated" (ADS_UF_NOT_DELEGATED) or add them to the "Protected Users" group, after careful verification of the associated operational impacts.

See also