Enterprises Using AD Connect at Risk of Stealthy Admins

Researchers have discovered a problem with AD Connect in an Office 365 hybrid AD environment.  In this situation, hybrid means both onsite Active Directory and cloud Active Directory.  This is the environment that most Office 365 users who federate accounts use.

The bug was discovered earlier this month by Preempt, a vendor of cyber security tools.

The result is users with unexpected and undesired elevated privileges.  While many tools will detect normal AD administrators, this particular flaw creates admins that are not obvious.

In this case, the flaw grants users elevated privileges through  Domain Discretionary Access Control List (DACL) configuration.  Preempt calls them stealthy administrators.

Curiously, this bug is only present if users installed AD Connect in EXPRESS MODE.

This is in addition to the problems related to AD Writeback (Microsoft KB 4033453) which grants Azure admins complete control over on premise AD.

As people rush to the cloud it is not surprising that there are unintended consequences.  The cloud is still very new.  The Internet is very new.  In the grand scheme of things, computers are relatively new. And, cloud computing itself is moving at an incredible velocity.

What there is to do is stay on top of these issues and apply the appropriate fixes as they are released.  An not panic.  It does not appear that this is the kind of flaw that is easy for hackers to exploit.

In the meantime, Preempt has created a free tool that allows admins to detect any accidentally created stealthy admins;  the link to the tool can be found in the article below.

Information for this post came from Preempt.

by