Important update for Azure Active Directory Connect – Version 1.1.553.0

Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

  • If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
  • If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.


Beta Exam 345: Designing and Deploying Microsoft Exchange Server 2016 NOW AVAILABLE

Are you an expert in designing and managing Exchange Server? Are you responsible for the Exchange Server 2016 messaging environment in an enterprise environment? If so, here’s your chance to start down the path to the MCSE certification for free AND help us improve the quality of this exam!

We are opening up 350 beta seats for this beta exam (exam number: 70-345)… This means you can take the exam for free!! BUT… the seats are limited to first come, first served basis–so, register today (these codes will only work through February 12, 2016, meaning you have to register AND take the exam on or before that date)–and we need you take the exam as soon as possible so we can leverage your comments, feedback, and exam data in our evaluation of the quality of the questions. The sooner you take the exam, the more likely it is that we will be able to use your feedback to make improvements to the exam. This is your chance to have a voice in the questions we include on the exam when it goes live. 

To prepare for the exam, review our prep guide and practice the skills listed: To prepare for this beta exam, check out my recent blog for ideas:

***Register for the exam at the same site and use code EXCH2016010B to take it for free, but these codes are only valid for exam dates on or before Feb. 12, 2016. Remember: There are a limited amount of spots, so when they’re gone, they’re gone. You should also be aware that there are some country limitations where the beta code will not work (e.g., Turkey, Pakistan, India, China, Vietnam); you will not be able to take the beta exam for free in those countries.

Also, keep in mind that this exam is in beta, which means that you will not be scored immediately. You will receive your final score and passing status once the exam is live.

Well…what are you waiting for? Register before all the seats are gone!