Cloud Admins, AADConnect and Privilege Increase Issues

Posted on Leave a commentPosted in AADConnect, AADSync, AdminSDHolder, Office 365, server administrator

Microsoft recommends that you stay on top of version updates to AADConnect.

In version 1.1.553.0, which became available in June 2017, there is a reference to a gain in admin privileges that could be possible with password writeback (part of Azure AD Premium and EMS licences) that hints at a security issue. The following is what I think the issue is, and therefore why you should be running 1.1.553.0 or later.

Global admins can change the password of AD admins using Azure Portal. This is an issue if you consider the following scenario – if the GA was just a delegated admin to an OU or not an admin to AD at all (i.e. cloud only admin) they would not be able to reset privileged accounts in AD, but with password writeback prior to v 1.1.553.0 they are able to do this and gain an on-premise privilege they did not have.

Or, of course, malicious actor takes over GA account and now have access to all on-premises admin accounts.

Following version 1.1.553.0 and later, only the owner of a privileged account can change it via password writeback.

So, if you have cloud admins that are not on-premises admins, or are just delegated admins on-premises, upgrade to 1.1.553.0 now.

This issue only affects customers who have enabled the Password writeback feature on Azure AD Connect. To determine if the feature is enabled:

  1. Login to your Azure AD Connect server.
  2. Start Azure AD Connect wizard (START → Azure AD Connect).
  3. On the Welcome screen, click Configure.
  4. On the Tasks screen, select View current configuration and click Next.
  5. Under Synchronization Settings, check if Password Writeback is enabled.

Mt803213.EB9A43C32235251CEBA30763CA023255(en-us,Security.10).png

For information on how to upgrade Azure AD Connect, refer to Azure AD Connect: Learn how to upgrade from a previous version to the latest.

The latest version of Azure AD Connect addresses this issue by blocking Password writeback request for on-premises AD privileged accounts unless the requesting Azure AD Administrator is the owner of the on-premises AD account. More specifically, when Azure AD Connect receives a Password writeback request from Azure AD:

  • It checks if the target on-premises AD account is a privileged account by validating the AD adminCount attribute. If the value is null or 0, Azure AD Connect concludes this is not a privileged account and permits the Password writeback request.
  • If the value is not null or 0, Azure AD Connect concludes this is a privileged account. Next, it then validates whether the requesting user is the owner of the target on-premises AD account. It does so by checking the relationship between the target on-premises AD account and the Azure AD account of the requesting user in its Metaverse. If the requesting user is indeed the owner, Azure AD Connect permits the Password writeback request. Otherwise, the request is rejected.

Installing and Configuring AD RMS and Exchange Server

Posted on 4 CommentsPosted in 2007, 2008 R2, 2010, active directory, certificates, exchange, exchange online, microsoft, networking, Office 365, organization relationships, owa, rms, server administrator

Earlier this week at the Microsoft Exchange Conference (MEC 2012) I led a session titled Configuring Rights Management Server for Office 365 and Exchange On-Premises [E14.314]. This blog shows three videos covering installation, configuration and integration of RMS with Exchange 2010 and Office 365. For Exchange 2013, the steps are mostly identical.

Installing AD RMS

This video looks at the steps to install AD RMS. For the purposes of the demonstration, this is a single server lab deployment running Windows Server 2008 R2, Exchange Server 2010 (Mailbox, CAS and Hub roles) and is the domain controller for the domain. As it is a domain controller, a few of the install steps are slightly different (those that are to do with user accounts) and these changes are pointed out in the video, as the recommendation is to install AD RMS on its own server or set of servers behind a IP load balancer.

Configuring AD RMS for Exchange 2010

The second video looks at the configuration of AD RMS for use in Exchange. For the purposes of the demonstration, this is a single server lab deployment running Windows Server 2008 R2, Exchange Server 2010 (Mailbox, CAS and Hub roles) and is the domain controller for the domain. This video looks at the default ‘Do Not Forward’ restriction as well as creating new templates for use in Exchange Server (OWA and Transport Rules) and then publishing these templates so they can be used in Outlook and other Microsoft Office products.

 

Integrating AD RMS with Office 365

The third video looks at the steps needed to ensure that your Office 365 mailboxes can use the RMS server on premises. The steps include exporting and importing the Trusted Publishing Domain (the TPD) and then marking the templates as distributed (i.e. available for use). The video finishes with a demo of the templates in action.

Installing Dell Open Manage 7.1 on Hyper-V R2 Servers

Posted on Leave a commentPosted in 2008, 2008 R2, 2012, dell, hyper-v, openmanage, osma, server administrator, server core, windows server

This set of instructions goes through the process for installing Dell Open Manager on Windows Server 2008 R2 and Windows Server 2012.

  1. Download both the 6.5 and 7.1 versions of Dell Open Manage
    • You need to install 6.5 first, or you will get errors about “omchecks has stopped working” failing during the RunPreReqChecks process and an error about “Failed to load OMIL Library” when running the actual installer.

image

image

  1. On the server run Dism /online /enable-feature /featurename:SNMP-SC to install SNMP
  2. After downloading 6.5 expand the zip to c:\OpenManage65 and if needed copy to the server you are installing on, or burn a DVD and insert it into the server in question.
  3. Install Open Manage 6.5 with the following steps
    1. cd c:\OpenManage65\windows\prereqchecker
    2. runprereqchecks /s
    3. echo Return Code = %ERRORLEVEL%
    4. Check the Return Code with the codes listed at http://support.dell.com/support/edocs/software/smsom/6.1/en/ug/HTML/prereqch.htm#wp1053477
    5. Fix any errors listed. You should get a 2 as the Return Code. You might need to view the prereqchecker HTML file that it creates. This is made in your temp directory. Cd %TEMP% to see what this is. It will be something like c:\Users\username\AppData\Local\Temp\2. To open the HTML output file connect to this temp folder from a machine with IE installed on it and open omprereq.htm. Fix any listed errors.
    6. cd c:\OpenManage65\windows\SystemsManagement
    7. msiexec /i SysMgmt.msi
    8. Choose Custom and add the Remote Enablement option.
  4. Allow remote access to TCP port 1311 (the Open Manage web server port) using netsh advfirewall firewall add rule name="Dell OpenManage Server Administrator Web GUI" dir=in action=allow protocol=TCP localport=1311
  5. Install Open Manage 7.1. The steps here are similar, just from the directory containing version 7.1 instead.
    1. cd c:\OpenManage71\windows\prereqchecker
    2. runprereqchecks /s
    3. echo Return Code = %ERRORLEVEL%
    4. Check the Return Code with the codes listed at http://support.dell.com/support/edocs/software/smsom/6.1/en/ug/HTML/prereqch.htm#wp1053477
    5. Fix any errors listed. You should get a 2 as the Return Code. You might need to view the prereqchecker HTML file that it creates. This is made in your temp directory. Cd %TEMP% to see what this is. It will be something like c:\Users\username\AppData\Local\Temp\2. To open the HTML output file connect to this temp folder from a machine with IE installed on it and open omprereq.htm. Fix any listed errors.
    6. cd c:\OpenManage71\windows\SystemsManagement
    7. msiexec /i SysMgmt.msi
    8. Choose Custom and add the Remote Enablement option (though as this is now an upgrade it should already be selected).
  6. Finish by browsing to https://remoteserver:1311 not forgetting the s in https. You will get a certificate error and once connected you can replace this if you wish or are required to by corporate policies.
  7. With thanks to the following two blogs: