From 3851b733d8ae49b97c7a12d1a0568eb48d380d56 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Tue, 22 Oct 2024 10:04:34 +0200 Subject: [PATCH] Update ensure-privileged-accounts-with-sensitive-flag.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are a few problems with this article: - It does not explicitly mention RWDC, I assume that when RODCs are sensitive enough this also applies to RWDCs. - The remediation steps in the article only work for users, computers do not have the tab with this flag. E.g. computers can use the “set-adcomputer -AccountNotDelegated $true”. --- ATPDocs/ensure-privileged-accounts-with-sensitive-flag.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ATPDocs/ensure-privileged-accounts-with-sensitive-flag.md b/ATPDocs/ensure-privileged-accounts-with-sensitive-flag.md index 5cbc3002..a62e7bad 100644 --- a/ATPDocs/ensure-privileged-accounts-with-sensitive-flag.md +++ b/ATPDocs/ensure-privileged-accounts-with-sensitive-flag.md @@ -14,7 +14,7 @@ ms.date: 10/05/2024 # Security Assessment: Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" -This recommendation lists all privileged accounts that lack the "account is sensitive and cannot be delegated" flag. Privileged accounts are accounts that are being members of a privileged group such as Domain admins, Schema admins, Read only domain controllers and so on.  +This recommendation lists all privileged accounts that lack the "account is sensitive and cannot be delegated" flag. Privileged accounts are accounts that are being members of a privileged group such as Domain admins, Schema admins, writable domain controllers, Read only domain controllers and so on.  ## Organization risk @@ -30,6 +30,11 @@ If the sensitive flag is disabled, attackers could exploit Kerberos delegation t ![Screenshot showing admin in AD.](media/ensure-privileged-accounts-with-sensitive-flag/administrator-properties.png) +With Powershell, you can set the flag using one of: +Set-ADUser -Identity -AccountNotDelegated $true +Set-ADComputer -Identity -AccountNotDelegated $true +Set-ADServiceAccount -Identity <(g|d)MSA> -AccountNotDelegated $true + ## Next steps [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)