4.5
Remediation Guidance
“Patch the system” is not remediation guidance. Neither is “follow security best practices.” Remediation guidance that clients actually use is specific, prioritized, and actionable.
Three rules for strong remediation:
Be specific. Not “change the password” — instead: “rotate the svc_adbackup password to a 25+ character randomly generated string, revoke its DCSync rights immediately, and implement Group Managed Service Accounts (gMSA) to prevent human-managed credentials going forward.”
Prioritize. If you list ten remediation items with no priority, the client will start with the easiest, not the most important. Explicitly rank by risk and mark what to do first.
Acknowledge trade-offs. Some remediations are easy. Some require downtime, application changes, or organizational buy-in. Acknowledge the effort level so the client can plan.
Three remediation recommendations need improvement. Identify what’s wrong with each and select the stronger alternative.
Improve Remediation Guidance
multiple-choice
Scenario
Review each remediation recommendation and select the stronger version.
Question 1 of 3
Finding: svc_adbackup — Kerberoastable service account with weak password and DCSync rights.
Question 2 of 3
Finding: No account lockout policy configured.
Question 3 of 3
Finding: Excessive Domain Admin group membership — 9 members, 7 unexpected.