1
00:00:01,240 --> 00:00:05,540
Now let's say you're doing some PowerShell‑based administration.

2
00:00:05,540 --> 00:00:07,460
So as you can see at left here,

3
00:00:07,460 --> 00:00:13,130
we've got us working at our administrative workstation, and let's say

4
00:00:13,130 --> 00:00:17,890
we're going to do some PowerShell remoting and we're going to connect as

5
00:00:17,890 --> 00:00:24,040
ourselves, so we want to transmit, or project, our domain admin identity

6
00:00:24,040 --> 00:00:26,150
onto that remote server, Server1.

7
00:00:26,150 --> 00:00:26,260
Well,

8
00:00:26,260 --> 00:00:30,130
that'll work just fine, especially in a domain environment where

9
00:00:30,130 --> 00:00:32,790
you don't have to worry about the trusted hosts.

10
00:00:32,790 --> 00:00:35,990
The problem comes in, and this is called the Kerberos second hop

11
00:00:35,990 --> 00:00:39,410
problem, where once you've remoted into Server1,

12
00:00:39,410 --> 00:00:44,040
if you then want to do a second hop and continue your PowerShell

13
00:00:44,040 --> 00:00:50,220
administration from Server1 say to Server2, and in particular, the PowerShell

14
00:00:50,220 --> 00:00:55,090
that you run on Server2 you want to continue to run under your credentials,

15
00:00:55,090 --> 00:01:00,840
this is actually blocked by default. And it's blocked for security reasons

16
00:01:00,840 --> 00:01:05,580
because if somebody were to breach a high‑value user account and you had

17
00:01:05,580 --> 00:01:07,850
delegation enabled by default,

18
00:01:07,850 --> 00:01:11,850
this would make lateral movement throughout your domain much, much easier.

19
00:01:11,850 --> 00:01:15,310
So this is something, this notion of Kerberos constrained

20
00:01:15,310 --> 00:01:19,640
delegation, or optionally CredSSP delegation,

21
00:01:19,640 --> 00:01:22,130
is something that you only want to use when you need it

22
00:01:22,130 --> 00:01:23,760
and you want to really constrain it.

23
00:01:23,760 --> 00:01:26,640
That's why it's called constrained delegation,

24
00:01:26,640 --> 00:01:28,490
because of those security concerns.

25
00:01:28,490 --> 00:01:32,110
In fact, again, a callout to a previous lesson in this course,

26
00:01:32,110 --> 00:01:37,030
we saw that the Protected Users group and the authentication policy silos,

27
00:01:37,030 --> 00:01:41,300
part of those protections involve restricting the

28
00:01:41,300 --> 00:01:44,340
ability of those accounts to be delegated.

29
00:01:44,340 --> 00:01:44,600
Again,

30
00:01:44,600 --> 00:01:47,380
that's all in the name of protecting and limiting

31
00:01:47,380 --> 00:01:49,570
the attack surface in your domain.

32
00:01:49,570 --> 00:01:50,740
So anyway,

33
00:01:50,740 --> 00:01:56,000
if you do have a legit need to hop from one server to another, you can

34
00:01:56,000 --> 00:02:02,860
configure using either Kerberos delegation or the CredSSP protocol those

35
00:02:02,860 --> 00:02:07,640
machines to serve as CredSSP servers and clients.

36
00:02:07,640 --> 00:02:11,950
So in this case, we would configure Server1 as being authorized to

37
00:02:11,950 --> 00:02:21,000
delegate our credentials to yet other machines. I'll show you a bit more about how that works in the upcoming demo.