Vulnerability in Azure AD Connect Software Can Provide Stealthy Admins With Full Domain Control
One term used for privileged Admin accounts that exist outside of protected groups is ‘stealthy admins’. They are less protected and less monitored than those within protected groups, and can consequently provide a major security risk.
The team at Preempt Security has discovered an automatically generated stealthy admin account in hybrid on-premise/Azure Microsoft Office 365 (O365) deployments.
One aspect of the Preempt Platform’s operation is to investigate and prevent insider threats, and this in turn involves detecting insider opportunities for escalating privileges. Escalation involves acquiring the rights of or using a privileged administrator account; and for this reason admin accounts should always be given greater protection.
“Organizations have well-defined groups for administrators, where they can be monitored and protected,” explains Ajit Sancheti, CEO and co-founder of Preempt; “but sometimes users are given administrator rights without the account being placed into an administrator group. That’s what we call a ‘stealthy administrator’. Part of our job is to detect these.”
Researchers from Preempt discovered that a stealthy admin is created as a matter of course during the normal use of Microsoft’s Azure AD Connect. AD Connect is a tool used by organizations with hybrid on premise and cloud Office 365 deployments. It integrates on premise Active Directory with Azure AD, so that users can have a common identity throughout.
The default express use of AD Connect creates a Microsoft On Line account (MSOL) that has domain admin privileges but exists outside of any protected admin group; that is, it lives in the built-in Users Group. In order to synchronize passwords between on premise accounts and cloud, it has the ability to replicate the domain.
“Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges indirectly through domain discretionary access control list (DACL) configuration,” said Roman Blachman, CTO and co-founder at Preempt. “We refer to these users as stealthy admins. The majority of our customers have Office 365 hybrid deployments and almost every one of them were vulnerable to this because Azure AD Connect was installed in express settings and created this flaw.” Blachman has also explained the issue in a blog posted today.
Anyone with access to User accounts could gain access through these to the MSOL account and acquire high level domain privileges. This could be an attacker already on the network looking to escalate privilege, or a ‘rogue’ employee. In the latter instance, Preempt gives the example of a help desk that uses a contract employee. That employee would be a domain user, but also an account operator for help desk functional purposes.
The help desk staff is effectively part of the supply chain but with direct — and legitimate — access to user accounts, plus one account with domain level privileges. If compromised — or simply rogue — the help desk operator’s account could get access to every admin account on the domain via the MSOL account. Since the MSOL account is not in a protected admin group, it will not be tracked or monitored like other admin accounts — and its use by an attacker will not trigger the alerts that it should.
The MSOL account will exist as a stealthy admin as a matter of course for any organization that has used AD Connect to synchronize user passwords between on premise and cloud deployments of Office 365.
Preempt reported the issue to Microsoft, which has today issued an advisory and fix. “Suppose there is a malicious on-premises AD administrator with limited access to customer’s on-premises AD but has Reset-Password permission to the AD DS account,” explains the advisory. “The malicious administrator can reset the password of the AD DS account to a known password value. This in turn allows the malicious administrator to gain unauthorized, privileged access to the customer’s on-premises AD.”
Microsoft’s solution going forward is an ‘improvement’ to Azure AD Connect that ensures that the account it creates will in future have the recommended permissions. For Azure users who have already used AD Connect, Microsoft says, “You can use the PowerShell script available at Prepare Active Directory Forest and Domains for Azure AD Connect Sync to help you implement the permission changes on the AD DS account.”
The Microsoft fix is not a patch for existing implementations. AD Connect will be updated so that its future use will not lead to a stealthy MSOL account. For existing implementations, it is releasing a script that will find and move the MSOL account to a safe location.
It is worth noting, however, that MSOL is unlikely to be the only stealthy admin on a network. While this Microsoft fix will detect the MSOL stealthy admin, it will not solve the problem of other stealthy accounts.
“We’re seeing this in almost all of our customers,” commented Sancheti. “We have never installed product with any customer without finding at least one or more stealthy admins — usually anything between 5 to 100. Because of the complexity of Active Directory, it is quite common for one account to be given access to another account without ever realizing what permissions are quietly inherited in the process.”
Preempt has developed and released a free tool called Preempt Inspector. “It’s purpose is to detect all stealthy accounts, that are often innocently created through configuration errors — but that create a hidden risk for the network.”