In recent blog posts, I’ve been talking a lot about new Active Directory attack methods where attackers are compromising user accounts that lead to increasing levels of privilege in AD. Well, unfortunately, now it seems a recently discovered Azure AD Connect configuration option is making it a little easier for attackers to take control over privileged user accounts in Active Directory. Just last week, Microsoft released a security advisory detailing how to handle the case, which potentially allows administrators to gain un-restricted access to Active Directory.
Azure AD Connect synchronizes directory data across Azure Active Directory and the on-prem AD, and requires the use of an AD DS connector service account to gain access to the on-prem AD. The issue lies in the disconnect in the default permissions granted to the service account – an AD administrator with restricted access to on-prem AD but, with Password Reset rights to the Azure AD Connect service account, could elevate domain privileges. “The malicious administrator can reset the password of the service account to a known password value. This in turn allows the malicious administrator to gain unauthorized, privileged access to the customer’s on-premises AD,” Microsoft stated in the article.
Microsoft announced that future versions of Azure AD Connect will automatically apply restricted permissions to the AD DS account, however there will be no patch released to retroactively apply permission changes to existing AD DS accounts. In the meantime, here’s what you can do to make sure your Active Directory is protected:
- Secure access to the AD DS account using the Powershell script Microsoft released with the article to tighten the account permissions.
- Move the AD DS connector account into an OU that is only accessible by highly-privileged admins.
- Manage AD delegations to follow the principle of least privilege. Privileged accounts can be easier to hijack if you’re not careful about the delegation on them, so make sure that users only have access to objects they are supposed to manage.
- Audit any changes to accounts that have these kinds of privileged access, using a product like Semperis’ AD State Manager, as shown here:
If you’re impacted by this vulnerability, then you’ll need to audit Active Directory to verify the last password reset date of the service account and determine whether any malicious activity occurred as a result. Using Semperis’ Active Directory State Manager (ADSM), you can easily detect password changes (as shown in #4 above) on the service account and know who made the change, as well as the actions that occurred after the change was made. If a malicious admin takes control of your Active Directory using the Azure AD Connect flaw, ADSM will allow you to quickly revert and restore any harmful actions made by the admin and help you protect your infrastructure from further damage.