Ensure SDProp Consistency

Attackers who compromise an Active Directory domain commonly change the ACL of the adminSDHolder object, and any permission they add to the ACL gets copied to privileged users, making it easy to set up backdoors.

This critical-level IoE checks that the permissions set on the adminSDHolder object allow only privileged access to administrative accounts.

To remediate a deviant object from the Ensure SDProp Consistency IoE:

1. In Tenable Identity Exposure, click Indicators of Exposure in the navigation pane to open it.

   By default, Tenable Identity Exposure shows only the IoEs that contain deviant objects.

2. Click on the tile for the Ensure SDProp Consistency IoE.

   

   The Indicator details pane opens.

3. Hover over and click on the deviant object to show its details. Note the domain name and the associated permission that Tenable Identity Exposure flagged. (In this example: OLYMPUS.CORP .\unpriv)

   

4. In Remote Desktop Manager (or similar tool), locate the domain name and navigate to System > AdminSDHolder.

   Required permission: You must have an administrator account on the domain to perform the procedure.

5. Right-click AdminSDHolder and select Properties from the contextual menu.

   

6. In the Properties dialog box, select the Security tab and click Advanced.

7. In the Advanced Security Settings window and in the Permissions tab, select the permission that raised the alert from the list of permission entries.

8. Click Remove.
9. Click Apply and OK to close the settings window.
10. Click OK to close the Properties window.

11. In Tenable Identity Exposure, return to the Indicator details pane and refresh the page.

    The deviant object no longer appears in the list.