Microsoft Security Advisory 4033453
Vulnerability in Azure AD Connect Could Allow Elevation of Privilege
Published: June 27, 2017
Version: 1.0
Executive Summary
Microsoft is releasing this security advisory to inform customers that a new version of Azure Active Directory (AD) Connect is available that addresses an Important security vulnerability.
The update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts.
The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.
Advisory Details
Password writeback is a component of Azure AD Connect. It allows users to configure Azure AD to write passwords back to their on-premises Active Directory. It provides a convenient cloud-based way for users to reset their on-premises passwords wherever they are. For information about password writeback, refer to Password writeback overview.
To enable Password writeback, Azure AD Connect must be granted Reset Password permission over the on-premises AD user accounts. When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts). For information about AD privileged user accounts, refer to Protected Accounts and Groups in Active Directory.
This configuration is not recommended because it allows a malicious Azure AD Administrator to reset the password of an arbitrary on-premises AD user privileged account to a known password value using Password writeback. This in turn allows the malicious Azure AD Administrator to gain privileged access to the customer’s on-premises AD.
See CVE-2017-8613 - Azure AD Connect Elevation of Privilege Vulnerability
Suggested Actions
Verify if your organization is affected
This issue only affects customers who have enabled the Password writeback feature on Azure AD Connect. To determine if the feature is enabled:
- Login to your Azure AD Connect server.
- Start Azure AD Connect wizard (START → Azure AD Connect).
- On the Welcome screen, click Configure.
- On the Tasks screen, select View current configuration and click Next.
- Under Synchronization Settings, check if Password Writeback is enabled.
If Password writeback is enabled, evaluate whether your Azure AD Connect server has been granted Reset Password permission over on-premises AD privileged accounts. Azure AD Connect uses an AD DS account to synchronize changes with on-premises AD. The same AD DS account is used to perform password reset operation with on-premises AD. To identify which AD DS account is used:
- Login to your Azure AD Connect server.
- Start the Synchronization Service Manager (Start → Synchronization Service).
- Under the Connectors tab, select the on-premises AD connector and click Properties.
- In the Properties dialog box, select the Connect to Active Directory Forest tab and note down the User name property. This is the AD DS account used by Azure AD Connect to perform directory synchronization.
For Azure AD Connect to perform Password writeback on on-premises AD privileged accounts, the AD DS account must be granted Reset Password permission over these accounts. This typically happens if an on-premises AD administrator has either:
- Made the AD DS account a member of an on-premises AD privileged group (For example, Enterprise Administrators or Domain Administrators group), OR
- Created Control Access Rights on the adminSDHolder container which grants the AD DS account with Reset Password permission. For information on how the adminSDHolder container affects access to on-premises AD privileged accounts, refer to Protected Accounts and Groups in Active Directory.
You need to examine the effective permissions assigned to this AD DS account. It may be difficult and error prone to do so by examining existing ACLs and group assignment. An easier approach is to select a set of existing on-premises AD privileged accounts and use the Windows Effective Permissions feature to determine if the AD DS account has Reset Password permission over these selected accounts. For information on how to use the Effective Permissions feature, refer to Verify whether Azure AD Connect has the required permission for Password writeback.
Note
You may have more than one AD DS account to evaluate if you are synchronizing multiple on-premises AD forests using Azure AD Connect.
Remediation steps
Upgrade to the latest version (1.1.553.0) of Azure AD Connect, which can be downloaded from here. We recommend you do so even if your organization isn’t currently affected. For information on how to upgrade Azure AD Connect, refer to Azure AD Connect: Learn how to upgrade from a previous version to the latest.
The latest version of Azure AD Connect addresses this issue by blocking Password writeback request for on-premises AD privileged accounts unless the requesting Azure AD Administrator is the owner of the on-premises AD account. More specifically, when Azure AD Connect receives a Password writeback request from Azure AD:
- It checks if the target on-premises AD account is a privileged account by validating the AD adminCount attribute. If the value is null or 0, Azure AD Connect concludes this is not a privileged account and permits the Password writeback request.
- If the value is not null or 0, Azure AD Connect concludes this is a privileged account. Next, it then validates whether the requesting user is the owner of the target on-premises AD account. It does so by checking the relationship between the target on-premises AD account and the Azure AD account of the requesting user in its Metaverse. If the requesting user is indeed the owner, Azure AD Connect permits the Password writeback request. Otherwise, the request is rejected.
Note
The adminCount attribute is managed by the SDProp process. By default, SDProp runs every 60 minutes. Therefore, it can take up to an hour before the adminCount attribute of a newly created AD privileged user account is updated from NULL to 1. Until this happens, an Azure AD administrator can still reset the password of this newly created account. For information about SDProp process, refer to Protected Accounts and Groups in Active Directory.
Mitigation steps
If you are unable to immediately upgrade to the latest “Azure AD Connect” version, consider the following options:
- If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
- If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
- It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission. For information on how to create a DENY ACE using Windows DSACLS tool, refer to Modify the AdminSDHolder container.
DSACLS DNofAdminSDHolderContainer /D CONTOSO\ADDSAccount:CA;"Reset Password"
Page generated 2017-06-27 09:50-07:00.