Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Stealthy Admin Accounts Found in Hybrid Office 365 Deployments

Vulnerability in Azure AD Connect Software Can Provide Stealthy Admins With Full Domain Control

Vulnerability in Azure AD Connect Software Can Provide Stealthy Admins With Full Domain Control

One term used for privileged Admin accounts that exist outside of protected groups is ‘stealthy admins’. They are less protected and less monitored than those within protected groups, and can consequently provide a major security risk.

The team at Preempt Security has discovered an automatically generated stealthy admin account in hybrid on-premise/Azure Microsoft Office 365 (O365) deployments.

One aspect of the Preempt Platform’s operation is to investigate and prevent insider threats, and this in turn involves detecting insider opportunities for escalating privileges. Escalation involves acquiring the rights of or using a privileged administrator account; and for this reason admin accounts should always be given greater protection.

“Organizations have well-defined groups for administrators, where they can be monitored and protected,” explains Ajit Sancheti, CEO and co-founder of Preempt; “but sometimes users are given administrator rights without the account being placed into an administrator group. That’s what we call a ‘stealthy administrator’. Part of our job is to detect these.”

Researchers from Preempt discovered that a stealthy admin is created as a matter of course during the normal use of Microsoft’s Azure AD Connect. AD Connect is a tool used by organizations with hybrid on premise and cloud Office 365 deployments. It integrates on premise Active Directory with Azure AD, so that users can have a common identity throughout. 

The default express use of AD Connect creates a Microsoft On Line account (MSOL) that has domain admin privileges but exists outside of any protected admin group; that is, it lives in the built-in Users Group. In order to synchronize passwords between on premise accounts and cloud, it has the ability to replicate the domain.

“Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges indirectly through domain discretionary access control list (DACL) configuration,” said Roman Blachman, CTO and co-founder at Preempt. “We refer to these users as stealthy admins. The majority of our customers have Office 365 hybrid deployments and almost every one of them were vulnerable to this because Azure AD Connect was installed in express settings and created this flaw.” Blachman has also explained the issue in a blog posted today.

Advertisement. Scroll to continue reading.

Anyone with access to User accounts could gain access through these to the MSOL account and acquire high level domain privileges. This could be an attacker already on the network looking to escalate privilege, or a ‘rogue’ employee. In the latter instance, Preempt gives the example of a help desk that uses a contract employee. That employee would be a domain user, but also an account operator for help desk functional purposes. 

The help desk staff is effectively part of the supply chain but with direct — and legitimate — access to user accounts, plus one account with domain level privileges. If compromised — or simply rogue — the help desk operator’s account could get access to every admin account on the domain via the MSOL account. Since the MSOL account is not in a protected admin group, it will not be tracked or monitored like other admin accounts — and its use by an attacker will not trigger the alerts that it should.

The MSOL account will exist as a stealthy admin as a matter of course for any organization that has used AD Connect to synchronize user passwords between on premise and cloud deployments of Office 365.

Preempt reported the issue to Microsoft, which has today issued an advisory and fix. “Suppose there is a malicious on-premises AD administrator with limited access to customer’s on-premises AD but has Reset-Password permission to the AD DS account,” explains the advisory. “The malicious administrator can reset the password of the AD DS account to a known password value. This in turn allows the malicious administrator to gain unauthorized, privileged access to the customer’s on-premises AD.”

Microsoft’s solution going forward is an ‘improvement’ to Azure AD Connect that ensures that the account it creates will in future have the recommended permissions. For Azure users who have already used AD Connect, Microsoft says, “You can use the PowerShell script available at Prepare Active Directory Forest and Domains for Azure AD Connect Sync to help you implement the permission changes on the AD DS account.”

The Microsoft fix is not a patch for existing implementations. AD Connect will be updated so that its future use will not lead to a stealthy MSOL account. For existing implementations, it is releasing a script that will find and move the MSOL account to a safe location. 

It is worth noting, however, that MSOL is unlikely to be the only stealthy admin on a network. While this Microsoft fix will detect the MSOL stealthy admin, it will not solve the problem of other stealthy accounts.

“We’re seeing this in almost all of our customers,” commented Sancheti. “We have never installed product with any customer without finding at least one or more stealthy admins — usually anything between 5 to 100. Because of the complexity of Active Directory, it is quite common for one account to be given access to another account without ever realizing what permissions are quietly inherited in the process.”

Preempt has developed and released a free tool called Preempt Inspector. “It’s purpose is to detect all stealthy accounts, that are often innocently created through configuration errors — but that create a hidden risk for the network.” 

Related: Microsoft Fixes Privilege Escalation Flaw in Azure AD Connect 

Related: New Product Allows Easy Addition of Multi-Factor Authentication to Any Application 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...