19 Aug 2019 by Jason Jacobo
Release Announcement: A Look at Archive Shuttle 9.6
See what’s new in the latest Archive Shuttle updates.
Microsoft have recently released a new version of the Windows Azure Active Directory Sync tool, also known as DirSync.
The biggest change in this version is that it now has the ability to synchronise your on-premise Active Directory user passwords to your Azure/Office 365 cloud tenant.
Sending passwords across the internet always causes me to raise my eyebrows and it prompted me to look a little deeper into how this actually works.
The Microsoft TechNet article states the following:
When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services.
Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer’s on-premises environment.
To investigate these statements further we installed the new version of DirSync onto our test environment and sniffed some of the traffic with a proxy server to see what was happening when a user changed their password.
The first thing we found was that the connection to Microsoft was obviously encrypted over a HTTPS connection. Most things are encrypted this way these days, so this is a good thing!
PS C:\Users\burns_000\Desktop> get-msoluser | Select UserPrincipalName,ImmutableID
email@example.com <span style="background-color:#FFFF00;color:black;">SFh+npbKfU+xtYpaXZR77Q==</span>
The hash over the wire that is captured above is not MD4 hash of clear text password. It is a secure PBKDF2 key derived from SHA256 hash of the MD4 hash (derived from crypto API documented at http://msdn.microsoft.com/en-us/library/windows/desktop/dd433795(v=vs.85).aspx) per RFC 2898.
Talented security researches are getting much better at cracking these types of password hashes, so I wouldn’t say it is impossible for someone to get a plain text password based on this hash.
Yes, I’d say so. Even if a hacker was able to decrypt the HTTPS traffic (which is unlikely), they would still have to content with the hashed password itself.
There are much easier ways for a hacker to get a users password, such as using Social Engineering or Keyloggers.
Firstly, make sure that the server running DirSync is always completely patched with security updates and locked down to un-authorised access. The only reason I was able to decrypt the HTTPS traffic in the first place was because I had administrator access to the DirSync server in the first place.
Secondly, make sure that your Active Directory environment enforces complex user passwords. If an attacker somehow managed to get access to the password hashes it is much more difficult and time consuming to crack a long and complex password rather than a simple one.
Thirdly, if absolute security is a primary concern we recommend you implement Active Directory Federation Services with Two-Factor Authentication instead of DirSync with Password Synchronisation.
At the end of the day I believe that the convenience of having your users passwords synchronised between on-premise and cloud outweighs the small risk that your environment will be compromised through DirSync.
These other blog posts may be of interest to you: