Security assessment: Remove access rights on suspicious accounts with the Admin SDHolder permission
This article describes the Remove access rights on suspicious accounts with the Admin SDHolder permission security assessment, which highlights risky access rights on suspicious accounts.
Why might the Admin SDHolder permission be risky?
Having non-sensitive accounts with Admin SDHolder (security descriptor holder) permissions can have significant security implications, including:
- Leading to unauthorized privilege escalation, where attackers can exploit these accounts to gain administrative access and compromise sensitive systems or data
- Increasing the attack surface, making it harder to track and mitigate security incidents, potentially exposing the organization to greater risks.
How do I use this security assessment to improve my organizational security posture?
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions for Remove access rights on suspicious accounts with the Admin SDHolder permission.
For example:
Review the list of exposed entities to discover which of your non-sensitive accounts have the Admin SDHolder permission.
Take appropriate action on those entities by removing their privileged access rights. For example:
- Use the ADSI Edit tool to connect to your domain controller.
- Browse to the CN=System> CN=AdminSDHolder container and open the CN=AdminSDHolder container properties.
- Select the Security tab > Advanced, and remove any non-sensitive entities. These are the entities marked as exposed in the security assessment.
For more information, see Active Directory Service Interfaces and ADSI Edit documentation
To achieve the full score, remediate all exposed entities.
Note
While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as Completed.