What should you do to remediate unsecure Kerberos delegation risks in Microsoft Defender for Identity?

To remediate unsecure Kerberos delegation risks in Microsoft Defender for Identity, modifying the properties of the computer objects listed as exposed entities is the most effective action. Kerberos delegation allows a service to act on behalf of a user for other services, but if misconfigured, it can expose the network to security risks such as unauthorized access and impersonation attacks. By carefully configuring the delegation settings of computer objects, administrators can ensure that only trusted services are allowed to delegate credentials. This step is crucial for minimizing vulnerabilities associated with unsecured delegation.

Adjusting the properties may involve setting “Trust this Computer for Delegation” to “No” or ensuring that delegation is only permitted for specific services that require it, thus reducing the attack surface and ensuring that sensitive data is less exposed to potential attackers. Proper management and oversight of these properties are a fundamental part of securing Kerberos delegation and protecting the identity of users and services within the network.