How Microsoft Improved Its Identity Products & Services, December 2022
Christmas is arguably one of the few time periods every year, where droves of IT people are off...
Sander Berkouwer
A new year has dawned . . . and there's smooth sailing with Active Directory updates.
In the January 2023 cumulative updates for all current versions of Windows Server, Microsoft addressed two LDAP vulnerabilities affecting Domain Controllers:
- CVE-2023-21676 is a vulnerability in the Lightweight Directory Access Protocol (LDAP) that could allow an authenticated adversary remote code execution on Windows Server installations, configured as Domain Controllers. The attack is a low complexity attack over the network.
- CVE-2023-21557 is a vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) that could allow an unauthenticated adversary to bypass a buffer length check, which could be leveraged to achieve an information leak. To achieve this, a specially crafted request merely needs to be sent to a vulnerable Domain Controller over the network.
The combination of these two vulnerabilities felt uncomfortable on Patch Tuesday itself. There was a risk that this update was another rogue update that could affect the availability and/or integrity of Domain Controllers. On the other hand, not updating meant that Domain Controllers would go down during the next red team exercise, or whenever an attacker got their hands on an exploit and a way to abuse the second vulnerability…
After the rocky November 2022 updates and the subsequent fixes in an out-of-band update and the December 2022 cumulative updates, it’s a relief that the January 2023 cumulative updates for Windows Server can be evaluated as ‘safe’ updates.
The end of the line for Windows Server 2008 and 2008 R2
Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms through the Extended Security Update program. The January 10, 2023, updates are the last updates for these platforms. If you have any Domain Controllers running Windows Server 2008 R2, or earlier versions of Windows Server, migrating, in-place upgrading, or transitioning to a newer version of Windows Server should be your top priority.
There are many benefits to upgrading to newer versions of Windows Server on Domain Controllers and to newer forest functional levels. Starting with the Windows Server 2012 Active Directory Domain Functional Level (DFL) you get Kerberos support for claims and the Windows Server 2012 R2 level brings additional features to the Protected Users security group. Starting with Windows Server 2016, Domain Controllers offer all the greatness you need for Windows Hello for Business Hybrid Access. Windows Server 2019 and Windows Server 2022 (the current version of Windows Server, and the n-1 version) are the main focus of the Active Directory engineering team, so getting to these versions is a big plus, even if the Windows Server 2016 functional levels are the highest ones available.
Microsoft Authenticator
With version 6.7.2 of the Microsoft Authenticator app for iOS, Microsoft has removed the Authenticator Companion app for Apple watches. It simply isn’t compatible with the Number Matching feature that Microsoft will be pushing from the end of February 2023 (planned).
Azure Active Directory
The Authenticator app is still one of the best and user-friendly methods to fulfill the requirement to perform multi-factor authentication, but many organizations are looking to decommission older and less-safe methods. Next to the Authentication Strengths feature (still in Public Preview), Microsoft is now actively promoting a method to manage all the authentication methods in one place. In the Azure AD portal and Entra portal, on the Authentication Methods blade, Microsoft announces that starting January 2024, the legacy multi-factor authentication policies (in the PhoneFactor portal) and self-service password reset policies (underneath Password Reset) will be deprecated. The Authentication Methods blade becomes the place to manage all authentication methods. Organizations can now pre-sort for this change by managing the migration (Preview):
Another feature in cross-organization collaboration, labeled Cross-tenant synchronization was also released as Public Preview for organizations using Azure AD. This new feature goes beyond the Azure AD B2B Direct Connect functionality by granting access to more than Teams Shared Channels and does away with the invitation redemption process that is still associated with ‘normal’ B2B and the self-signup functionality in both Azure AD and Azure AD B2C.
Azure AD Connect Cloud Sync
When working with Azure AD Connect Cloud Sync, admins were surprised by the new admin experience. With a guided experience for first-time configuration, and more intuitive controls, Microsoft aims to lower the threshold for admins to switch from Azure AD Connect Sync to Azure AD Connect Cloud Sync.
Admins who were on the fence about Azure AD Connect for its inability to synchronize attributes from custom Active Directory schema extensions, there is also good news. Azure AD Connect Cloud Sync now supports this functionality, bringing it closer to Azure AD Connect Sync. However, there are still a lot of features that don’t work with Azure AD Connect Cloud Sync. I can’t wait for the team to support Exchange Hybrid WriteBack, myself.
Defender for Identity
Wouldn’t it make you sad if something happened to Defender for Identity monitoring your Domain Controllers? That’s the question the team has asked itself. In version 2.196, released on January 10, 2023, Microsoft introduced new health alerts for its Defender for Identity sensors. You’ll receive alerts when auditing is (no longer) configured correctly in Active Directory and/or when Domain Controllers are (suddenly) configured with inappropriate Power settings.
If hunting is your game, then the team also got your back. They added MITRE ATT&CK information to the IdentityLogonEvents, IdentityDirectoryEvents and IdentityQueryEvents tables in Microsoft 365 Defender Advanced Hunting. In the AdditionalFields column, admins can find details about the Attack Techniques and the Tactic (Category) associated with some activities.
Concluding
The Identity division at Microsoft has delivered great new value in January 2023. They didn’t even need to break anything to get the functionality to us. Let’s see if the February 2023 cumulative updates offer the same great experience…
Do you need Active Directory Monitoring and Reporting?
Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users who have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.
Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits.
