CCE-99802-1Platform: cpe:/o:microsoft:windows_server_2019 | Date: (C)2022-07-28 (M)2023-07-04 |
Remote host allows delegation of non-exportable credentials
When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host.
If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
Fix:
(1) GPO: Computer ConfigurationAdministrative TemplatesSystemCredentials DelegationRemote host allows delegation of non-exportable credentials
(2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsCredentialsDelegation!AllowProtectedCreds
Parameter:
[enable/disable]
Technical Mechanism:
(1) GPO: Computer Configuration\Administrative Templates\System\Credentials Delegation\Remote host allows delegation of non-exportable credentials
(2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowProtectedCreds
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:82107 |