Because members of the service administrator groups are highly privileged, they constitute an attractive target for attackers. Therefore, the membership information of these groups should be guarded as much as possible. For maximum security, it is best to hide the membership information for all service administrator groups from regular users. However, the default security descriptor on AdminSDHolder that is used to protect service administrator groups allows their membership information to be visible to regular users.

It is possible to tighten security further by removing access for Authenticated Users from the security descriptor on AdminSDHolder. Because this can cause some server-based applications to stop functioning, care must be taken when doing this. Systematically remove access for Authenticated Users by performing the following set of tasks:

If you have not already done so, disable Pre-Windows 2000 Compatible Access for your domain. For more information, see "Disabling Pre-Windows 2000 Compatible Access" earlier in this guide.

Create a group called "Server Applications," and grant it Read access to AdminSDHolder by adding the ACE, as shown in Table 40.

Add the individual service accounts used by your applications that require the ability to enumerate group membership of the service administrator groups to this group.

Remove the Authenticated User entry and the Pre-Windows 2000 Compatible Access entry from the security descriptor.

At this point, your service administrator accounts should not be visible to regular users on your network. Because it is impossible to predict the impact on every application, closely monitor applications running in your environment, and make sure that they still function properly. If you observe application problems, simply add Authenticated Users as a member of the newly created Server Applications group to restore functionality while you diagnose how to remove the application dependency.