Microsoft Security Advisory 4056318
Guidance for securing AD DS account used by Azure AD Connect for directory synchronization
Published: December 12, 2017
Microsoft is releasing this security advisory to provide information regarding security settings for the AD DS (Active Directory Domain Services) account used by Azure AD Connect for directory synchronization. This advisory also provides guidance on what on-premises AD administrators can do to ensure that the account is properly secured.
Azure AD Connect lets customers synchronize directory data between their on-premises AD and Azure AD. Azure AD Connect requires the use of an AD DS user account to access the on-premises AD. This account is sometimes referred to as the AD DS connector account. When setting up Azure AD Connect, the installing administrator can either:
- Provide an existing AD DS account, or
- Let Azure AD Connect automatically create the account. The account will be created directly under the on-premises AD User container.
For Azure AD Connect to fulfill its function, the account must be granted specific privileged directory permissions (such as Write permissions to directory objects for Hybrid Exchange writeback, or DS-Replication-Get-Changes and DS-Replication-Get-Changes-All for Password Hash Synchronization). To learn more about the account, refer to article Azure AD Connect: Accounts and Permissions.
Suppose there is a malicious on-premises AD administrator with limited access to customer’s on-premises AD but has Reset-Password permission to the AD DS account. The malicious administrator can reset the password of the AD DS account to a known password value. This in turn allows the malicious administrator to gain unauthorized, privileged access to the customer’s on-premises AD.
Manage your on-premises AD following best practices
Microsoft recommends customers to manage their on-premises AD following the best practices described in the article Securing Active Directory Administrative Groups and Accounts. Where possible:
- The use of Account Operators group should be avoided, since members of the group by default have Reset-Password permissions to objects under the User container.
- Move the AD DS account used by Azure AD Connect and other privileged accounts into an OU (Organization Unit) that is only accessible by trusted or highly-privileged administrators.
- When delegating Reset-Password permission to specific users, scope their access to only user objects for which they are supposed to manage. For example, you want to let your helpdesk administrator manage password reset for users in a branch office. Consider grouping the users in the branch office under a specific OU and grant the helpdesk administrator with Reset-Password permission to that OU instead of the User container.
Lock down access to the AD DS account
Lock down access to the AD DS account by implementing the following permission changes in the on-premises AD:
- Disable Access Control List inheritance on the object.
- Remove all default permissions on object except for SELF.
- Implement these permissions:
|Allow||SYSTEM||Full Control||This object|
|Allow||Enterprise Admins||Full Control||This object|
|Allow||Domain Admins||Full Control||This object|
|Allow||Administrators||Full Control||This object|
|Allow||Enterprise Domain Controllers||List Contents||This object|
|Allow||Enterprise Domain Controllers||Read All Properties||This object|
|Allow||Enterprise Domain Controllers||Read Permissions||This object|
|Allow||Authenticated Users||List Contents||This object|
|Allow||Authenticated Users||Read All Properties||This object|
|Allow||Authenticated Users||Read Permissions||This object|
You can use the PowerShell script available at Prepare Active Directory Forest and Domains for Azure AD Connect Sync to help you implement the permission changes on the AD DS account.
Improvement to Azure AD Connect
To find if this vulnerability was made use of to compromise your AADConnect configuration, do the following:
- Verify the last password reset date of the service account.
- Investigate the event log for that password reset event if you find an unexpected timestamp.
Improvement to Azure AD Connect
An improvement has been added to Azure AD Connect version 1.1.654.0 (and after) to ensure that the recommended permission changes described under the section Lock down access to the AD DS account are automatically applied when Azure AD Connect creates the AD DS account:
- When setting up Azure AD Connect, the installing administrator can either provide an existing AD DS account, or let Azure AD Connect automatically create the account. The permission changes are automatically applied to the AD DS account that is created by Azure AD Connect during setup. They are not applied to existing AD DS account provided by the installing administrator.
- For customers who have upgraded from an older version of Azure AD Connect to 1.1.654.0 (or after), the permission changes will not be retroactively applied to existing AD DS accounts created prior to the upgrade. They will only be applied to new AD DS accounts created after the upgrade. This occurs when you are adding new AD forests to be synchronized to Azure AD.
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
Microsoft thanks the following for working with us to help protect customers:
- Roman Blachman and Yaron Zinar of Preempt
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (December 12, 2017): Advisory published.
- V1.1 (December 18, 2017): Updated account permissions information.
Page generated 2017-08-07 15:55-07:00.