Dangerous Kerberos Delegation

The Kerberos protocol, which is central to Active Directory security, permits select servers to reuse user credentials. If an attacker compromises one of these servers, they could steal these credentials and use them to authenticate on other resources.

This critical-level IoE reports all accounts with delegation attributes and excludes disabled accounts. Privileged users should not have delegation attributes. To protect these user accounts, add them to the "Protected Users" group or mark them as "Account is sensitive and cannot be delegated".