Skip to content

Commit 9cff831

Browse files
LiorShapiraaLiorShapiraa
authored
Update ensure-privileged-accounts-with-sensitive-flag.md
1 parent 58e3aff commit 9cff831

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

ATPDocs/ensure-privileged-accounts-with-sensitive-flag.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ This recommendation lists all privileged accounts that don't have the "not deleg
1818

1919
## Organization risk
2020

21-
If the sensitive flag is disabled, attackers could exploit Kerberos delegation to misuse privileged account credentials, leading to unauthorized access, lateral movement, and potential network-wide security breaches. Setting the sensitive flag on privileged user accounts will prevent users from gaining access to the account and manipulating system settings.
21+
If the sensitive flag is disabled, attackers could exploit Kerberos delegation to misuse privileged account credentials, leading to unauthorized access, lateral movement, and potential network-wide security breaches. Setting the sensitive flag on privileged user accounts prevent users from gaining access to the account and manipulating system settings.
2222
For device accounts, setting them to "not delegated" is important to prevent it from being used in any delegation scenario, ensuring that credentials on this machine cannot be forwarded to access other services.
2323

2424
## Remediation steps
@@ -27,7 +27,7 @@ For device accounts, setting them to "not delegated" is important to prevent it
2727

2828
1. Take appropriate action on those accounts:
2929

30-
- For user accounts: by setting the account's control flags to "this account is sensitive and cannot be delegated." Under the Account tab, select the check box to this flag in the Account Options section. This will prevent users from gaining access to the account and manipulating system settings.  
30+
- For user accounts: by setting the account's control flags to "this account is sensitive and cannot be delegated." Under the Account tab, select the check box to this flag in the Account Options section. This prevents users from gaining access to the account and manipulating system settings.  
3131
![Screenshot of user profile.](media/ensure-privileged-accounts-with-sensitive-flag/administrator-properties.png)
3232

3333
- For device accounts:

0 commit comments

Comments
 (0)