How Microsoft Improved Its Identity Products and Services - September 2022
Microsoft’s identity portfolio consists of many products, like Active Directory, AD FS, Azure AD...
Active Directory, AD CS, Azure AD Connect, and Azure MFA Server are all Microsoft on-premises identity products. From the cloud side of things, Azure AD and Defender for Identity swoop in. All these products and services saw updates and improvements this last month. Let’s make sure you didn’t miss a thing!
Hot on the heels of the Windows 11 2022 Update, Windows 10 also received its 22H2 update, with build number 19045. The 2022 update for Windows 10 isn’t as feature rich as the one for Windows 11 but the features are still very welcome. Just like Windows 11, Windows 10 received new Group Policy settings. However, the hand full of Windows 10 settings are no match for the over 70 settings that were introduced with Windows 11 22H2.
On Tuesday, October 11, 2022, Microsoft introduced domain join hardening changes to address the elevation of privilege vulnerability in Active Directory known as CVE-2022-38042. These protections intentionally prevent domain join operations from reusing existing computer objects, unless you are the creator of the existing object, or the object was created by a member of the Domain Admins security group. These checks are performed before checking any delegated permissions in Active Directory. For some organizations these new hardening changes may cause issues, but the new protections are created client-side and are circumventable if need be.
When applying updates to Windows 10 devices and remote desktop hosts, be aware that Microsoft applied an out-of-band update to address OneDrive synchronization problems, so make sure to roll that one out, too.
As certificates are credentials, too, Active Directory Certificate Services (AD CS) received a critical update to harden its configuration as part of the same October ‘B’ updates on Tuesday, October 11, 2022. If successfully exploited, an elevation of privilege vulnerability known as CVE-2022-37976, provides an adversary with Domain Admin privileges. However, exploiting this vulnerability is not easy: A malicious DCOM client would need to trick a DCOM server to authenticate to it through AD CS and then use the credential to launch a cross-protocol attack. Another vulnerability, known as CVE-2022-37978 addresses a feature bypass vulnerability using an Adversary-in-the-Middle (AitM) attack.
It's time to patch those Certification Authorities again. That also means booting that offline Root CA and applying updates to it once again. You haven’t forgotten about that server or deleted it from your virtualization platform, right?
For next month’s cumulative updates, Microsoft announced that the update will improve Active Directory replication performance in large environments on Windows Server 2022-based Domain Controllers. These changes are already available as part of the preview update for October 2022 for that Operating System. As there is no Windows Server 2019 or even a Windows Server 2022 functional level in Active Directory, and thus no way to make sure that Domain Controllers do not run earlier Windows Server Operating Systems, I’m guessing these improvements will also make their way to Windows Server 2016 and Windows Server 2019.
Ever since Defender for Identity started supporting Active Directory Federation Services (AD FS) in January 2021, its detections of AD FS abuse were basic. This summer an adversary was exfiltrating credentials from AD FS implementations at large. This month, Microsoft introduced an AD FS-specific alert to notify admins when the particular attack pattern of this adversary occurs. This way, organizations running AD FS are finally protected against Nobelium’s MagicWeb attack without an immediate need for an implementation of the tiered administrative model.
During Microsoft Ignite, Microsoft introduced some new Microsoft Entra features that really merges the individual services as one Entra family. Admins could already manage Azure AD, permissions management, and Verified IDs through the Entra Admin portal, but this portal got a whole lot more interesting with last month’s additions.
In the Identity Governance side of things (known for the Entitlement Management, Access Reviews and Privileged Identity Management features), Microsoft introduced Lifecycle Workflows as a Public Preview. Lifecycle workflows enable admins to create custom workflows to automate onboarding and offboarding to manage cloud users' lifecycles at scale and as-a-Service.
To secure Workload Identities, Microsoft introduced new management features for app registrations (service principals) and managed identities. Coming next month, admins can apply Conditional Access policies, Access Reviews, and Identity Protection to these identities. These features will be introduced in Preview first.
Existing Azure AD Premium customers also received goodies at Microsoft Ignite. As part of Conditional Access, Microsoft introduced Authentication Strengths as Public Preview.
As looking at the menu for your organization’s cafeteria requires different authentication assurance levels than signing in as a Global Administrator, the requirements for multi-factor authentication may also be different. The organization might be okay with using text messages to view the menu but require a FIDO 2 key for all privileged and financially sensitive operations. Authentication Strength comes with three built-in strengths but in the Authentication Methods pane, admins can create their own strengths, too.
The Authenticator App made its first strides into the area of phishing-resistant multi-factor authentication, joining FIDO2 keys, Windows Hello for Business and certificate-based authentication as one of the most reliable multi-factor authentication methods. Both the Number Matching feature and the Additional Context feature are now available as General Availability. Microsoft intends to enable the Number Matching feature for all tenants that have the adoption setting configured to the default ‘Microsoft-managed’ option starting February 28, 2023.
Starting February 1, 2023, Microsoft stops supporting Azure AD Connect Cloud Provisioning Agent installations with versions 1.1.818.0 and below. An update window of just seven months might seem like a relative short support cycle, but under normal circumstances, Azure AD Connect Cloud Provisioning Agent installations automatically update.
When using Azure AD Connect Cloud Sync or provisioning accounts from Workday and/or SuccessFactors, make sure all agent installations are up to date.
Active Directory is at the core of every networking environment. Whether your organization uses Active Directory Certificate Services (AD CS) or Active Directory Federation Services (AD FS), too, last months updates provide new levels of information security.
You might think that these changes are nothing compared to the new features Microsoft introduces in Azure AD. However, all changes serve the purpose of making Identity more secure as Identity is the new battleground.
Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.
Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.
Sander's qualities extend beyond the typical triple-A stories in the area of Identity and Access Management. Of course, authentication, authorization and auditing are necessities but my out of the box solutions get the most out of software, hardware and the cloud. Rapid technological advancements have resulted in cutting-edge solutions around Active Directory, Azure Active Directory and Identity Management. Keeping up with these is just a small challenge, compared to my true goal: helping people use the technology on a daily basis. In a way that ICT is not a mere hurdle, but an infinite enabler. His work as a consultant, blogger and trainer are all means to achieve this goal. His multiple Microsoft Most Valuable Professional (MVP) status, Veeam Vanguard status and extensive certification aids him. Through direct communications with the product teams in Redmond, he remains up to date, exchange feedback and accelerate support.