KT-IAS Privilege escalation

A service account in Active Directory has unconstrained delegation. Why is this a critical escalation risk?

Multiple choice — select one answer

Answer choices

  1. a. It disables NTLM company-wide, using shared credentials instead of individual accountability.
  2. b. It only affects password expiration policy, without security or identity team coordination per policy.
  3. c. It encrypts all file shares automatically, without security or identity team coordination per policy.
  4. d. Compromise of the service account can yield Kerberos TGTs usable against other hosts

Architectural breakdown & explanation

Unconstrained delegation allows TGT theft and lateral movement—high severity misconfiguration.

Correct answer(s): d. Compromise of the service account can yield Kerberos TGTs usable against other hosts

Exam domain: Privilege escalation (20% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Identity & Access Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.