Microsoft enhanced its identity-related products and services.

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

Microsoft on-premises identity products include Active Directory, AD CS, Azure AD Connect, and Azure MFA Server. Azure AD and Defender for Identity join the fray from the cloud. This month, all of these products and services received updates and improvements. Let’s make certain you didn’t overlook anything!

Updates to Windows 10 2022 and Windows 11 Moment 1

Windows 10 received its 22H2 update, with build number 19045, shortly after the Windows 11 2022 Update. The 2022 update for Windows 10 isn’t as feature-rich as the one for Windows 11, but it’s still a welcome addition. Windows 10, like Windows 11, received new Group Policy settings. However, the handful of Windows 10 settings pale in comparison to the over 70 new settings introduced with Windows 11 22H2. Updates to Windows 10 2022 and Windows 11 Moment 1

A vulnerability in Active Directory Domain Services has been addressed.

On Tuesday, October 11, 2022, Microsoft released domain join hardening changes to address the CVE-2022-38042 elevation of privilege vulnerability in Active Directory. These safeguards are designed to prevent domain join operations from reusing existing computer objects unless you created the object or it was created by a member of the Domain Admins security group. These checks are performed before any delegated permissions in Active Directory are checked. These new hardening changes may cause problems for some organisations, but they are created client-side and are easily circumvented if necessary.

 

When updating Windows 10 devices and remote desktop hosts, keep in mind that Microsoft used an out-of-band update to address OneDrive issues, so make sure to roll that one out, too.

Vulnerabilities in Active Directory Certificate Services have been addressed

Because certificates are also credentials, on Tuesday, October 11, 2022, Active Directory Certificate Services (AD CS) received a critical update to harden its configuration as part of the same October ‘B’ updates. An elevation of privilege vulnerability known as CVE-2022-37976, if successfully exploited, grants an adversary Domain Admin privileges. Exploiting this vulnerability, however, is difficult: a malicious DCOM client would need to trick a DCOM server into authenticating to it via AD CS, then use the credential to launch a cross-protocol attack. Another flaw, CVE-2022-37978, addresses a feature bypass flaw by utilizing an Adversary-in-the-Middle (AitM) attack.

It’s time to update those Certification Authorities once more. This also entails restarting the offline Root CA and applying updates to it. You haven’t forgotten about it or removed it from your virtualization platform, have you?

The good news about Active Directory Replication

Microsoft announced that the next month’s cumulative updates will improve Active Directory replication performance in large environments on Windows Server 2022-based Domain Controllers. These changes are already available as part of the October 2022 preview update for that Operating System. Because there is no Windows Server 2019 or even a Windows Server 2022 functional level in Active Directory, and thus no way to ensure that Domain Controllers are not running earlier Windows Server Operating Systems, I’m assuming that these enhancements will also be made to Windows Server 2016 and Windows Server 2019.

Defender for Identity makes AD FS more secure.

Defender for Identity’s detections of AD FS abuse has been basic since it began supporting Active Directory Federation Services (AD FS) in January 2021. This summer, an adversary was stealing credentials from public AD FS implementations. Microsoft introduced an AD FS-specific alert this month to notify administrators when this adversary’s specific attack pattern occurs. Organizations using AD FS are thus finally protected against Nobelium’s MagicWeb attack without the need for immediate implementation of the tiered administrative model.

Here comes Microsoft Entra!

During Microsoft Ignite, Microsoft unveiled some new Microsoft Entra features that effectively combine individual services into a single Entra family. Admins could already manage Azure AD, permissions, and Verified IDs through the Entra Admin portal, but with last month’s additions, this portal became a lot more interesting.

Lifecycle workflows

Microsoft introduced Lifecycle Workflows as a Public Preview in the Identity Governance space (known for the Entitlement Management, Access Reviews, and Privileged Identity Management features). Lifecycle workflows allow administrators to create custom workflows to automate onboarding and offboarding in order to manage the lifecycles of cloud users at scale and as-a-Service.

Workload Identities

Microsoft introduced new management features for app registrations (service principals) and managed identities to secure Workload Identities. Administrators will be able to apply Conditional Access policies, Access Reviews, and Identity Protection to these identities starting next month. These features will be introduced first in Preview.

Strength of Authentication

Existing Azure AD Premium customers were also rewarded at Microsoft Ignite. Microsoft released Authentication Strengths as a Public Preview as part of Conditional Access.

As viewing the menu for your organization’s cafeteria necessitates a different level of authentication assurance than signing in as a Global Administrator, the requirements for multi-factor authentication may differ as well. The organization may be fine with using text messages to view the menu, but all privileged and financially sensitive operations will require a FIDO 2 key. Authentication Strength comes with three built-in strengths, but admins can also create their own strengths in the Authentication Methods pane.

More Power to the Authenticator App!

The Authenticator App pioneered phishing-resistant multi-factor authentication, joining FIDO2 keys, Windows Hello for Business, and certificate-based authentication as one of the most dependable multi-factor authentication methods. Both the Number Matching and Additional Context features are now in General Availability. Beginning February 28, 2023, Microsoft intends to enable the Number Matching feature for all tenants with the adoption setting set to the default ‘Microsoft-managed’ option.

There are 3 months left for older Cloud Provisioning Agent installations.

Microsoft will stop supporting Azure AD Connect Cloud Provisioning Agent installations with versions 1.1.818.0 and lower on February 1, 2023. Although a seven-month update window may appear to be a relatively short support cycle, Azure AD Connect Cloud Provisioning Agent installations automatically update under normal circumstances.

Check that all agent installations are up to date before using Azure AD Connect Cloud Sync or provisioning accounts from Workday and/or SuccessFactors.

Concluding

Every networking environment relies on Active Directory. Whether your company uses Active Directory Certificate Services (AD CS) or Active Directory Federation Services (AD FS), last month’s updates added new levels of information security.

You may believe that these changes are insignificant in comparison to the new features introduced by Microsoft in Azure AD. However, all changes serve the purpose of increasing the security of Identity, as Identity is the new battleground.

Professional Labs is the Best Cloud Managed Services Provider Qatar, for more details contact
Contact Us | Professional labs (prolabsit.com)