In 2021, Microsoft addressed a security vulnerability bypass Active Directory Domain Services Elevation of Privilege Vulnerability. This bypass allows certain users to set arbitrary values on security-sensitive attributes of specific objects stored in Active Directory (AD). To exploit this vulnerability, a user must have sufficient privileges to create a computer account, such as a user granted CreateChild permissions for computer objects. That user could create a computer account using a Lightweight Directory Access Protocol (LDAP) Add call that allows overly permissive access to the securityDescriptor attribute. Additionally, creators and owners can modify security-sensitive attributes after creating an account.
Enforcement of new security requirements will be enabled by default in an upcoming update no sooner than April 11, 2023. Action may be required in order to prevent outages and system interruptions. For more information, see KB5008383: Active Directory permissions updates (CVE-2021-42291).
When will this happen
These Windows updates will be released in two phases:
- Initial deployment: Introduction of the update, including Audit-By-Default, Enforcement or Disable modes configurable using the dSHeuristics attribute.
- Final deployment: Enforcement-By-Default.
Message ID: MC408406
Published: 04 August 2022
Updated: 04 August 2022
Action required by: 04 November 2022
Platform: World tenant, Online