Preempt Finds Flaw in Office 365 with Azure AD Connect Which Could Result in Domain Compromise
Vulnerability Points to Broader Issue for Companies Moving to the Cloud
SAN FRANCISCO – December 12, 2017 – Preempt, a leader in adaptive threat prevention that helps enterprises eliminate insider threats and security breaches, today announced its research team has uncovered a vulnerability with Microsoft Office 365 when integrated with an on-premises Active Directory Domain Services (AD DS) using Azure AD Connect software that unnecessarily gives users elevated administrator privileges, making them “stealthy” administrators. Preempt provided responsible disclosure to Microsoft which has issued a customer security advisory today regarding the vulnerability.
Preempt discovered this surprising issue was occurring when customers were installing Microsoft Office 365 with Azure AD Connect software for on-premise AD DS integration (hybrid deployment). Preempt customers have been protected from this flaw since October by providing in-depth defense with both alerting on stealthy administrators and real-time prevention when suspicious behavior is detected.
“Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges indirectly through domain discretionary access control list (DACL) configuration,” said Roman Blachman, CTO and co-founder at Preempt. “We refer to these users as stealthy admins. The majority of our customers’ have Office 365 hybrid deployments and almost every one of them were vulnerable to this because Azure AD Connect was installed in express settings and created this flaw.”
This discovered vulnerability points to a much larger issue as more companies move to the cloud. This vulnerability piles on to previously detected issues, including Microsoft Advisory 4033453, that has discovered an issue with writeback feature – granting Azure AD administrators complete control over on-premises AD DS infrastructure. Privileged users are often overlooked and are not managed correctly when synchronized with the cloud, due to limited toolset in comparison to the on-premises solutions. With the introduced cloud identity management, new management and security challenges are introduced.
By identifying stealthy administrative accounts through not-so-obvious delegation, Preempt helps enterprises ensure that privileged accounts are used consistent with corporate security policies. Unlike privileged identity management (PIM) or privileged access management (PAM) solutions that lack support for behavioral policy and adaptive response, Preempt is able to understand the full relational context of user identity and behavior allowing enterprises to not only identify such risks as MSOnline (MSOL) privilege escalations, but also detect and proactively prevent compromise of such accounts. Without Preempt’s real-time discovery, detection and enforcement, the possibility of a malicious attacker being able to gain domain administrator privileges through such vulnerabilities and cause damage, is significant for enterprises.
For organizations who need to determine if they are at risk of stealthy administrators in their organization either from cloud environments such as the Azure AD Connect account flaw or for other reasons, Preempt has developed a free tool, Preempt Inspector, that can provide a free enterprise health assessment for passwords, stealthy administrators and more.
The Free Preempt Inspector tool can be downloaded here: http://inspector.preempt.com.
To learn more about the Microsoft vulnerability, or to learn how to protect your organization for this flaw or from stealthy administrators in general, check out the following resources:
- How organizations can protect themselves from stealthy admins and this flaw
- How the Azure AD Connect flaw can be exploited