Microsoft Security Advisory 4056318

Guidance for securing AD DS account used by Azure AD Connect for directory synchronization

Published: December 12, 2017

Version: 1.0

Microsoft is releasing this security advisory to provide information regarding security settings for the AD DS (Active Directory Domain Services) account used by Azure AD Connect for directory synchronization. This advisory also provides guidance on what on-premises AD administrators can do to ensure that the account is properly secured.

Azure AD Connect lets customers synchronize directory data between their on-premises AD and Azure AD. Azure AD Connect requires the use of an AD DS user account to access the on-premises AD. This account is sometimes referred to as the AD DS connector account. When setting up Azure AD Connect, the installing administrator can either:

  • Provide an existing AD DS account, or
  • Let Azure AD Connect automatically create the account. The account will be created directly under the on-premises AD User container. For Azure AD Connect to fulfill its function, the account must be granted specific privileged directory permissions (such as Write permissions to directory objects for Hybrid Exchange writeback, or DS-Replication-Get-Changes and DS-Replication-Get-Changes-All for Password Hash Synchronization). To learn more about the account, refer to article Azure AD Connect: Accounts and Permissions.

Suppose there is a malicious on-premises AD administrator with limited access to customer’s on-premises AD but has Reset-Password permission to the AD DS account. The malicious administrator can reset the password of the AD DS account to a known password value. This in turn allows the malicious administrator to gain unauthorized, privileged access to the customer’s on-premises AD.

Manage your on-premises AD following best practices

Microsoft recommends customers to manage their on-premises AD following the best practices described in the article Securing Active Directory Administrative Groups and Accounts. Where possible:

  • The use of Account Operators group should be avoided since members of the group by default have Reset-Password permissions to objects under the User container.
  • Move the AD DS account used by Azure AD Connect and other privileged accounts into an OU (Organization Unit) that is only accessible by trusted or highly-privileged administrators.
  • When delegating Reset-Password permission to specific users, scope their access to only user objects for which they are supposed to manage. For example, you want to let your helpdesk administrator manage password reset for users in a branch office. Consider grouping the users in the branch office under a specific OU and grant the helpdesk administrator with Reset-Password permission to that OU instead of the User container.

Lock down access to the AD DS account 

Lock down access to the AD DS account by implementing the following permission changes in the on-premises AD:

  • Disable Access Control List inheritance on the object.
  • Remove all default permissions on object except for SELF.
  • Implement these permissions: 

Type

Name

Access

Applies To

Allow

SYSTEM

Full Control

This object

Allow

Enterprise Admins

Full Control

This object

Allow

Domain Admins

Full Control

This object

Allow

Administrators

Full Control

This object

Allow

Enterprise Domain Controllers

List Contents

This object

Allow

Enterprise Domain Controllers

Read All Properties

This object

Allow

Enterprise Domain Controllers

Read Permissions

This object

Allow

Authenticated Users

List Contents

This object

Allow

Authenticated Users

Read All Properties

This object

Allow

Authenticated Users

Read Permissions

This object

You can use the PowerShell script available at Prepare Active Directory Forest and Domains for Azure AD Connect Sync to help you implement the permission changes on the AD DS account.

Verification and follow-up actions

To find if this vulnerability was made use of to compromise your AADConnect configuration, do the following:

  • Verify the last password reset date of the service account.
  • Investigate the event log for that password reset event if you find an unexpected timestamp.

Improvement to Azure AD Connect

An improvement has been added to Azure AD Connect version 1.1.654.0 (and after) to ensure that the recommended permission changes described under section are automatically applied when Azure AD Connect creates the AD DS account:

  • When setting up Azure AD Connect, the installing administrator can either provide an existing AD DS account, or let Azure AD Connect automatically create the account. The permission changes are automatically applied to the AD DS account that is created by Azure AD Connect during setup. They are not applied to existing AD DS account provided by the installing administrator.
  • For customers who have upgraded from an older version of Azure AD Connect to 1.1.654.0 (or after), the permission changes will not be retroactively applied to existing AD DS accounts created prior to the upgrade. They will only be applied to new AD DS accounts created after the upgrade. This occurs when you are adding new AD forests to be synchronized to Azure AD.

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Roman Blachman and Yaron Zinar of Preempt

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (December 12, 2017): Advisory published.
Page generated 2017-12-15 15:03Z-08:00.
Show: