Monday, July 03, 2017

Vulnerability in Azure AD Connect !!!

After the End of Support for DirSync and Azure AD Sync this April and having a tight deadline that Azure AD will stop accepting connections from DirSync and Azure AD Sync after December 31, 2017. Most Organisations already upgraded to Azure AD Connect.


If your Organization is upgraded to AzureAD Connect you get more enhanced features bundled with the product, and if you are customer using "Password WriteBack" feature you need to aware about the new Security vulnerability identified recently and fix it promptly before your environment gets impacted.

Microsoft released the new security advisory to inform customers that a new version of Azure Active Directory (AD) Connect is available that addresses an Important security vulnerability.

The update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts.

The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

More information is available in the Security Advisory Article : Microsoft Security Advisory 4033453 - Vulnerability in Azure AD Connect Could Allow Elevation of Privilege

Review the article and validate whether your environment is impacted and perform the Remediation steps promptly, Even if your Organization is not impacted Microsoft recommends Organisations to use the latest version of Azure AD Connect.

If you cannot perform the upgrade right now, follow the Mitigation steps provided in the article to fix the issue.

If you are planning for an upgrade to the latest version (1.1.553.0) of Azure AD Connect, and you are using OU-based filtering be sure to review the below release history article and perform the outlined steps as the upgrade does not carry forward OU filtering settings if not set correctly during the upgrade process.

Review here: Azure AD Connect: Version release history - 1.1.553.0

Update: 

A New version of Azure AD Connect (1.1.557.0) is now released, Review the documentation below

Review here: Azure AD Connect: Version release history - 1.1.557.0

Note: This build is not available to customers through the Azure AD Connect Auto Upgrade feature.So you need to perform a manual install.

To know more about Auto Upgrade feature review the below Excellent Blog post from MVP Jeff Guillet

Understanding Auto-Upgrade Options in Azure AD Connect

Update:

A New version of Azure AD Connect (1.1.614.0) is now released with some great features that includes support for a new installation mode called Use Existing Database. This installation mode allows customers to install Azure AD Connect that specifies an existing ADSync database

Review here: Install Azure AD Connect using an existing ADSync database

Update:

Microsoft team released AAD Connect build 1.1.654.0 (Security related Hotfix) which addresses a new security vulnerability with AAD Connect through which elevated privileges can be obtained by resetting the password for the AD DS directory synchronization account (MSOL). To address this issue you can upgrade to the new version. Microsoft also use the PowerShell Script which configures the new recommended permissions on the MSOL account and tighten the permission if you cant upgrade to the new version immediately.

Access the Release history here to know more: Azure AD Connect: Version release history - 1.1.654.0

Access the PowerShell Script here: Prepare Active Directory Forest and Domains for Azure AD Connect Sync

Also review the Excellent write-up on this topic from MVP Jeff Guillet here: Secure AAD Connect! New build 1.1.654.0 and AdSyncConfig.psm1 module is available

Stay tuned for more updates...

No comments:

Post a Comment