Important update for Azure Active Directory Connect – Version 1.1.553.0

released Azure Active Directory Connect version 1.1.553.0 on June 6, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect 1.1.3.0] addresses a that could allow elevation of privilege if AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The is addressed in the latest version (1.1.3.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

highly recommends all customers to 1.1.3.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

  • If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
  • If an on-premises AD has previously created Control Access on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.

Expta

Translate »
%d bloggers like this: