Recommendations

What is the Recommendations page?

The Recommendations page displays your detections and identities by recommended solutions to potential risks.

By default, the Recommendations Overview sorts any item by importance and impacted entities, which are then grouped by recommendation summary in a sortable list.

ℹ️

Note

You can export the Recommendations grid as a .csv using the Download button.

How is it useful?

Recommendations provide both at-a-glance, high-level overviews of recommended security actions, as well as an in-depth summary for each individual recommendation instance. You can also view Recommendations in an ungrouped list by clicking the Ungrouped tab.

Search and filter your grouped recommendations

Grouped recommendations include all accounts that share a specific recommendation.

  1. On the Recommendations page, click the Grouped tab.

  2. To search for a(n):

    • recommendation: Enter a Recommendation Name and, optionally, select a filter.Filters include is equal to, is not equal to, Contains, Starts with, Ends with, and Does not contain.
    • level of importance: Select an Importance option from the drop-down list.
    • provider: Enter or select a provider name in the Providers list.
    • account: Enter a digit in the Accounts field and, optionally, select a filter.Filters include is equal to, is not equal to, Is greater than, Is greater than or equal to, Is less than, and Is less than or equal to.
    • total recommendation count: Enter a digit in the Total Count list. Filters include is equal to, is not equal to, Is greater than, Is greater than or equal to, Is less than, and Is less than or equal to

Search and filter your ungrouped recommendations

Ungrouped recommendations include all recommendations. On the Accounts page, search results display automatically as you add search terms and select options.

Use a Saved filter

Select a Saved filter from the drop-down list.

Create your own filter

  1. Click Add Filter.
    The Filter Detections dialog box displays.
  2. Select And or Or to determine how you want the saved filter to refine the first data set you're entering.
  3. Optionally, click Add Filter to add a new set of filtering criteria, and select your criteria from the drop-down menus.
  4. Optionally, click Add Group to add a group of additional filters to further refine your filtered criteria.
  5. Click Apply Filter.

Use the columns

Not all columns display by default. Use the columns to search for a(n):

  • recommendation: Enter a Recommendation Name and, optionally, select a filter.Filters include is equal to, is not equal to, Contains, Starts with, Ends with, and Does not contain.
  • level of importance: Select an Importance option from the drop-down list.
  • provider: Enter or select a provider name in the Providers list.
  • location: Enter the Location name.
  • account: Enter an Account Name and, optionally, select a filter.Filters include is equal to, is not equal to, Contains, Starts with, Ends with, and Does not contain.
  • label: Enter or select a label name in the Labels list.
  • direct privilege: Enter or select a Direct Privilege. Direct privileges are the inherent rights of an account. This column is hidden by default. Use the Column icon to select the column to display.
  • True Privilege: Enter or select a True Privilege. True Privilege is the full scope of access an account could potentially gain. A True Privilege score shows what detections and recommendations put highly privileged accounts at risk.
  • date of first recommendation: Use the calendar to select a date and, optionally, select a filter. Filters include is equal to, is after or equal to, Is after, Is before or equal to, and Is before.
  • recommendation status: Select one or more options from the list. Options include New, Ignored, False positive, Resolved, and Under review.

Customize your recommendation display

Select which columns to view in your results list via the Columns icon and reorder your results by column:

  1. Click the column header to activate it.
  2. Click the arrow icon that displays to sort alphabetically or numerically.

View your recommendation details

View your Recommendation details to see a list of all accounts or entities that would benefit from the recommended action, such as enabling multi-factor authentication, identifying linked account privileges, or verifying dormant accounts.

Accounts associated multiple times with the same recommendation across separate sources are listed as Multiple.

  1. Click Quick View on any recommendation row to display a preview window, without leaving the Recommendations page. This preview provides a high-level summary to aid in quickly evaluating areas of potential risk.
  2. Click View Full Details to view additional information, or Close to return to your position on the page.

View your instance details

The Instance details page displays when you click an entity name from the Recommendation Details page. It displays an in-depth summary of the individual recommendation instance and provides the detection's severity, as well as the recommendation's description and underlying concern, and potential options for resolution.

Change or add a comment to a status

Authorized users can change the status of a recommendation, and they can include an optional comment to describe the nature of the update or change. The status change and comment history are viewable on the Recommendation Details page.

  1. Locate the status you want to update.
  2. Click Update Status.
  3. Optionally, select a new status from the drop-down menu. Options include New, In Progress, Resolved, False Positive, or Ignored.
  4. Optionally, add a comment.
  5. Click Update Status.
    Your status change and comment saves.

Recommendations list

NameDescriptionConcernAction
Overprivileged Azure AD Connector accountAzure AD Connect synchronizes information from on-prem Active Directory to Azure Active Directory. It uses a special AAD service account to write information on the Azure side. In some older configurations, this account was granted Global Administrator, but this is no longer necessary for Azure AD Connect to work correctly.The Azure AD Connector account does not need the Global Administrator role anymore. It unnecessarily increases the impact of this account being compromised, which is especially important because attackers like to use tools like AAD Internals to steal the Azure AD Connector password from memory on on-prem servers.Remove Global Administrator from Azure AD Connector account.
Azure AD Connector account not protected by Conditional Access PoliciesAzure AD Connect synchronizes information from on-prem Active Directory to Azure Active Directory. It uses a special AAD service account to write information on the Azure side. This service account is a common target for attackers, who extract its password from memory using tools like AAD Internals. Because it typically has a very predictable access pattern (a single on-prem server authenticating over and over again), it's wise to add conditional access policies to make it harder for attackers to use the account if they manage to steal its credentials.An attacker steals the Azure AD Connector account's credentials and is able to use them to authenticate from their own infrastructure because no Conditional Access Policies are in place.Use Conditional Access Policies to restrict authentication to Azure AD Connector account.
Account is vulnerable to kerbroastingThis account is vulnerable to kerbroasting due to the account having a Service Principle Name (SPN) and supporting RC4 encryption which makes it easier for an attacker to crack the password.This would allow an attacker to capture the hash of the password affiliated with the SPN, which could then be cracked offline using brute force techniques.Disable RC4 encryption and only allow AES encryption for accounts with SPNs. Where this is not possible limit the privileges of accounts with SPNs that allow RC4 encryption.
User account has the ability to set a blank passwordUser account has the ability to set a blank password.These accounts have the ability to set a blank password which could make them vulnerable. NIST guidance recommends user generated password be a minimum of 8 characters in length.Unless absolutely necessary, ensure the password not required attribute is not set to true.
Default Domain Admin is still enabledDefault Domain Administrator account not disabled.These accounts are well known targets for attackers and are generally reserved for initial build activities. Given their significant level of privilege they can present a high level of risk.Consider disabling the account if appropriate. In the event the account is required for recovery purposes, it may be necessary to keep the account enabled but apply additional security controls.
Accounts are susceptible to AS-REP roastingThis account does not require preauthentication and is vulnerable to AS-REP roasting.When pre-authentication is disabled for an account, an attacker can request authentication data and the domain controller returns an AS-REP message. Since part of the message is encrypted using the account password, the attacker can then attempt to brute-force the password offline.Ensure the account has Kerberos preauthentication enabled. In user properties, this is achieved by unchecking the Do not require Kerberos preauthentication property in account options.
Unprivileged account can escalate its privilege because of the access it has to the Active Directory domainAn account has sensitive permissions on one or more of your Active Directory domains. These permissions either allow the user to directly escalate their privilege up to full administrator level access.An attacker or malicious insider could take full control of your domain starting from this unprivileged user.Ensure that all accounts listed need the privileges they have to operate on the domain. If they do, treat them as privileged accounts and manage them in Password Safe.
Unprivileged account can retrieve password hashes from domain controller via dc sync attackAn unprivileged account has the privileges to request that a domain controller send them user information, including password hashes. An attacker that compromises this account could move laterally to any other account within the domain using its password hash.An attacker or malicious insider could compromise other users within this domain starting from this unprivileged user.Ensure that accounts really need dc sync permissions. If they do, treat them as privileged accounts.
Privileged user is not a member of the 'Protected Users' groupThe 'Protected Users' group adds extra security safe guards that make it harder to compromise privileged accounts. Most interactive, privileged accounts should be in this group. Non-interactive service accounts should not be in this group.The 'Protected Users' group adds extra security safe guards that make it harder to compromise privileged accounts. Most interactive, privileged accounts should be in this group. Non-interactive service accounts should not be in this group.Verify that these accounts are interactive. If they are, consider adding them to the 'Protected Users' group as well as managing them with Password Safe. Use caution when adding users to this group. Adding a non-interactive user may break services that use the account.
Built in 'Guest' account is enabledThe built in Guest account is a common target for attackers, and is not very useful for its intended purpose. It should be disabled. If a guest account of some kind is necessary, a custom, not well-known account should be created.Because this account has a well-known username, and is often poorly secured, it is a very common target for attackers. Also, it has few legitimate uses in a well-secured environment. It should almost always be disabled to reduce attack surface.There is no reason this account should be enabled and it should be disabled as soon as possible
Identity with dormant accountsAn identity has account(s) that have not been used recently.These unused accounts may be unnecessary attack surface or grant the identity unnecessary privilege.Verify that dormant accounts are necessary. If they are not, disable them.
Already-privileged user can escalate or regain privilege via ownership of a groupPrivileged user owns a group that grants significant privilege, and as a result can add themselves or any other user to this group, even if their existing privilege is revoked.Already-privileged user may be able to escalate their privilege further, or regain privilege after it is revoked.Consider whether the privileged user should be owner of this group.
MFA Not EnabledMFA not required to login to these accountsAll interactive accounts should be protected by MFA to reduce the chance of compromise if credentials are stolen.Enable MFA for all interactive accounts.
Privileged user with an old, unrotated passwordThis privileged account has not rotated its password in over a year.Privileged users are targeted by attackers. The older the password for the account, the more likely it is that it has been exposed in a data breach.Use Password Safe to rotate the passwords of highly privileged accounts.
A Dormant privileged user was found with an old, unrotated passwordThis privileged account has not logged in in over three months, and has not rotated its password in over a year.Dormant privileged users are targeted by attackers, as they likely have worse posture than the rest of your environment, and are less likely to be monitored. The older the password for the account, the more likely it is that it has been exposed in a data breach.Use Password Safe to rotate the passwords of highly privileged accounts. Consider removing dormant accounts all together.
Privileged Azure AD account not managed by Password SafeAn Azure AD account with significant privileges is not managed by Password Safe.Privileged accounts not managed by Password Safe are more likely to be compromised.Manage these accounts with Password Safe.
krbtgt password has not been rotated recentlykrbtgt is a special domain account. The hash of its password encrypts ticket granting tickets (TGTs) issued by the domain controller when Kerberos authentication is used. As a result, if its password hash is compromised, an attacker can forge TGTs for any account in the domain. Since krbtgt is not used interactively, and because of impact of it being compromised, we recommend changing the password at least every 180 days.The krbtgt password has not been rotated in greater than 180 days in your environment, making it more likely that an attacker might have at some point compromised the hash, giving them the ability to act as any user in the domain using 'Golden Tickets' (i.e. forged TGTs).Change the krbtgt password.
Partially-revoked identityIdentity with one major account disabled but other accounts enabled, which may indicate incomplete offboarding.An identity has their primary account (in Okta or Azure Active Directory) disabled, but other secondary accounts still enabled. This may be an indicator of incomplete offboarding. A disgruntled ex-employee may still have access to these accounts, and could use them to attack the organization.Verify that identity does not have improperly-enabled accounts.
Unprivileged user can escalate their privilege via ownership of a groupUnprivileged user owners a group that grants significant privilege, and as a result can add themselves or any other user to this group.If this account is compromised, attackers could escalate their privilege using this vulnerability.Change owner of this group.

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.