👉 Overview
👀 What ?
Windows Resource-based Constrained Delegation (RBCD) is a security feature in Microsoft's Active Directory (AD) that allows a service to impersonate a user to other services, but with certain limitations. This feature was designed to provide flexibility in enterprise environments where services need to perform actions on behalf of users, while minimizing the security risks associated with service impersonation.
🧐 Why ?
RBCD is important because it allows administrators to control which services can impersonate users, and to which other services. This provides a balance between functionality and security in complex enterprise environments. Without such controls, any compromised service could impersonate any user to any other service, leading to a full domain compromise.
⛏️ How ?
To use RBCD, administrators must first enable it in the AD domain. Then, they must configure the security descriptor of each service that needs to delegate permissions, specifying which users it can impersonate and to which other services. The security descriptor is an Access Control List (ACL) that lists the users and services allowed for delegation. Administrators can use PowerShell commands or the AD Users and Computers management console to configure these settings.
⏳ When ?
RBCD was introduced in Windows Server 2012 R2, as an enhancement to the original Kerberos Constrained Delegation (KCD) feature. It has been included in all subsequent versions of Windows Server.
⚙️ Technical Explanations
RBCD works by modifying the Ticket-Granting Ticket (TGT) that Kerberos uses for authentication. When a service requests a TGT for a user, the Key Distribution Center (KDC) checks the service's security descriptor. If RBCD is enabled and the service is allowed to impersonate the user to the target service, the KDC includes the service's Security Identifier (SID) in the TGT. When the service presents the TGT to the target service, the target checks the SID against its own security descriptor. If the SID is listed, it processes the request as if it came directly from the user.