Microsoft released security advisor providing information account used in AAD Connect, excellent explanation from links below:
https://docs.microsoft.com/en-gb/security-updates/securityadvisories/2017/4056318
There are following suggested actions in security advisor:
Following on-premises AD Best Practices
- The use of Account Operators group should be avoided, since members of the group by default have Reset-Password permissions to objects under the User container.
- Move the AD DS account used by Azure AD Connect and other privileged accounts into an OU (Organization Unit) that is only accessible by trusted or highly-privileged administrators.
- When delegating Reset-Password permission to specific users, scope their access to only user objects for which they are supposed to manage. For example, you want to let your helpdesk administrator manage password reset for users in a branch office. Consider grouping the users in the branch office under a specific OU and grant the helpdesk administrator with Reset-Password permission to that OU instead of the User container.
Lock down access to the AD DS account by implementing the following permission changes in the on-premises AD:
- Disable Access Control List inheritance on the object.
- Remove all default permissions on object except for SELF.
- Implement these permissions:
When implementing ACL changes to ADDS (tool found from here) I always write down ACL’s before and after the change. There are plenty of tools for that but I use mostly ADACLScan
Before the change
Configuring permissions – Instructions from Technet gallery
Usage:
Set-ADSyncRestrictedPermissions -ObjectDN <$ObjectDN> -Credential <$Credential>
Where:
$ObjectDN = The Active Directory account whose permissions need to be tightened.
$Credential = Administrator credential that has the necessary privileges to restrict Active Directory permissions on the $ObjectDN account. This is typically the Enterprise or Domain Administrator.
Example:
Import-Module .\AdSyncConfig.psm1
$credential = Get-Credential
NOTE: Please use the fully qualified domain name of the administrator account to avoid account lookup failures.
Example: contoso.com\admin.
Set-ADSyncRestrictedPermissions -ObjectDN “CN=TestAccount1,CN=Users,DC=Contoso,DC=com” -Credential $credential
I wasn’t able to modify permissions at first time and received error “you cannot call method a null value expression”, use Netbios\account combination when tool is prompting for credentials
After credentials was passed correctly changes were implemented as expected
New ACL for the service account in my environment after the change
To verify everything worked as expected start service and at least delta sync from AAD Connect.
Microsoft announced that this fix is included in AAD Connect build 1.1.654.0 and later. If you are upgrading from older version to newer one this fix will not be automatically implemented and you should manually deploy necessary changed. If you are already using dedicated service account than most of my customers then ACL changes is something you need to consider.
Sam's Corner 