Prevent Unconstrained Delegation in Domain Services
Ensure computer accounts do not allow unrestricted delegation to protect security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2024
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Computer accounts are not configured for unconstrained delegation.
Source: ASD Information Security Manual (ISM)
Plain language
Unconstrained delegation is a setting that, if misconfigured, can allow attackers to impersonate others in your network. It's crucial to prevent this to avoid sensitive information being exposed or systems being misused by those who shouldn’t have access.
Why it matters
Unconstrained delegation could let attackers impersonate privileged users and access domain resources, exposing sensitive data and compromising critical systems.
Operational notes
Audit AD computer accounts for "Trust this computer for delegation" and ensure unconstrained delegation is disabled; investigate and remediate any accounts with it enabled.
Implementation tips
- IT team should review the current delegation settings on server accounts to ensure they are not set for unconstrained delegation. This involves using administrator tools to check each server's properties and ensure that sensitive configurations are disabled.
- System administrators need to document each server’s delegation settings. They should capture which servers have constrained delegation enabled and keep a record in a secured document.
- Managers should verify that all team members responsible for server management understand the risks associated with unconstrained delegation. Host a training session to explain these risks and the importance of configuring delegation correctly.
- The IT manager should schedule regular audits of the server settings. Use a checklist detailing the correct configurations and check each server aligns with these security practices.
- System owners should implement a change management process. This ensures any changes to delegation settings are documented and approved by a responsible person before being applied, preventing accidental exposures or misconfigurations.
Audit / evidence tips
-
Ask: the server configuration audit logs: Request logs that detail changes to server settings concerning delegation
Good: shows logs with approved changes and dates indicating regular audits
-
Ask: documentation on delegation settings: Obtain the record that lists the delegation settings of each server
Good: includes a detailed list with each server clearly marked
-
Ask: training records: Request evidence of training sessions conducted on the risks of unconstrained delegation
Good: contains dates, list of attendees, and topics covered
-
Ask: change management records: Request proof of change management processes for delegation settings
Good: includes dates, detailed change descriptions, and responsible approvers
-
Ask: a report on security incidents: Request any incident reports related to delegation settings
Good: includes resolved incidents with actions taken to prevent future occurrences
Cross-framework mappings
How ISM-1935 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.9 | ISM-1935 mandates that Active Directory computer accounts are not configured for unconstrained delegation, a specific security measure to... | |