Prevent Unconstrained Delegation in Domain Services
Ensure computer accounts do not allow unrestricted delegation to protect security.
Plain language
Unconstrained delegation is a setting that, if misconfigured, can allow attackers to impersonate others in your network. It's crucial to prevent this to avoid sensitive information being exposed or systems being misused by those who shouldn’t have access.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Computer accounts are not configured for unconstrained delegation.
Why it matters
Unconstrained delegation could let attackers impersonate privileged users and access domain resources, exposing sensitive data and compromising critical systems.
Operational notes
Audit AD computer accounts for "Trust this computer for delegation" and ensure unconstrained delegation is disabled; investigate and remediate any accounts with it enabled.
Implementation tips
- IT team should review the current delegation settings on server accounts to ensure they are not set for unconstrained delegation. This involves using administrator tools to check each server's properties and ensure that sensitive configurations are disabled.
- System administrators need to document each server’s delegation settings. They should capture which servers have constrained delegation enabled and keep a record in a secured document.
- Managers should verify that all team members responsible for server management understand the risks associated with unconstrained delegation. Host a training session to explain these risks and the importance of configuring delegation correctly.
- The IT manager should schedule regular audits of the server settings. Use a checklist detailing the correct configurations and check each server aligns with these security practices.
- System owners should implement a change management process. This ensures any changes to delegation settings are documented and approved by a responsible person before being applied, preventing accidental exposures or misconfigurations.
Audit / evidence tips
-
Askthe server configuration audit logs: Request logs that detail changes to server settings concerning delegation
Goodshows logs with approved changes and dates indicating regular audits
-
Askdocumentation on delegation settings: Obtain the record that lists the delegation settings of each server
Goodincludes a detailed list with each server clearly marked
-
Asktraining records: Request evidence of training sessions conducted on the risks of unconstrained delegation
Goodcontains dates, list of attendees, and topics covered
-
Askchange management records: Request proof of change management processes for delegation settings
Goodincludes dates, detailed change descriptions, and responsible approvers
-
Aska report on security incidents: Request any incident reports related to delegation settings
Goodincludes resolved incidents with actions taken to prevent future occurrences
Cross-framework mappings
How ISM-1935 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1935 mandates that Active Directory computer accounts are not configured for unconstrained delegation, a specific security measure to... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.