EDCA

1.0.0.0

Controls/EDCA-IAC-028.json

                                {

  "id": "EDCA-IAC-028",

  "title": "Domain object DACL WriteDACL ACEs carry the Inherit-Only flag",

  "description": "During Exchange installation, Setup grants the Exchange Windows Permissions (EWP) security group WriteDACL rights on the Active Directory domain root object so that Exchange can modify permissions on user and inetOrgPerson objects; if not scoped with the Inherit-Only flag, this right also applies to the domain object itself. The two Access Control Entries (ACEs) granted to the Exchange Windows Permissions (EWP) group on the Active Directory domain root object MUST either carry the Inherit-Only (IO) propagation flag or be absent from the DACL entirely. When an ACE is present without the Inherit-Only flag, the WriteDACL right applies to the domain object itself rather than only to descendant user and inetOrgPerson objects. Any principal in the EWP group can exploit this to write Ds-Replication-Get-Changes-All extended rights onto the domain object and perform a DCSync attack, yielding all domain password hashes and Kerberos keys. On Exchange 2016 and later, the corresponding Allow ACE that grants EWP WriteDACL on the AdminSDHolder object for the Group inherited object type MUST also be removed. The fix requires running Setup /PrepareAD followed by Setup /PrepareDomain in every domain of the forest after installing the qualifying cumulative update. Note: the Exchange WriteDACL ACEs carry ObjectType = all-zeros and the target class GUID (User or inetOrgPerson) in the InheritedObjectType field.",

  "verify": true,

  "subject": "Organization",

  "category": "Identity and Access Control",

  "severity": "High",

  "severityWeight": 10,

  "frameworks": [

    "Best Practice",

    "ANSSI"

  ],

  "references": [

    {

      "name": "Microsoft KB — Reducing permissions required to run Exchange Server (Shared Permissions Model)",

      "url": "https://support.microsoft.com/en-us/topic/reducing-permissions-required-to-run-exchange-server-when-you-use-the-shared-permissions-model-e1972d47-d714-fd76-1fd5-7cdcb85408ed"

    },

    {

      "name": "ANSSI - Recommandations pour l'administration sécurisée des SI reposant sur AD (2023)",

      "url": "https://messervices.cyber.gouv.fr/guides/recommandations-pour-ladministration-securisee-des-si-reposant-sur-ad"

    }

  ],

  "remediation": {

    "automatable": false,

    "description": "Install the minimum qualifying cumulative update for your Exchange version (Exchange 2016 CU12 / Exchange 2019 CU1 or later, or any Exchange SE build), then run Setup /PrepareAD as a member of Enterprise Admins. Run Setup /PrepareDomain in every domain of the forest as a member of Domain Admins for each domain. The /PrepareAD operation automatically runs /PrepareDomain for the domain in which it is executed, but not for other domains in the forest.",

    "scriptTemplate": "# Diagnose domain object DACL WriteDACL ACE state\n# Run from any domain-joined machine; requires read access to AD (no elevated rights needed for diagnosis)\nparam(\n    [string]$Domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name)\n)\n\n# The Exchange WriteDACL ACEs use ObjectType = all-zeros (applies to all object types)\n# and carry the target class GUID in InheritedObjectType.\n$userClassGuid          = [Guid]'bf967aba-0de6-11d0-a285-00aa003049e2'  # User\n$inetOrgPersonClassGuid = [Guid]'4828cc14-1437-45bc-9b07-ad6f015e5f28' # inetOrgPerson\n$groupClassGuid         = [Guid]'bf967a9c-0de6-11d0-a285-00aa003049e2' # Group (AdminSDHolder, Exchange 2016+)\n$writeDaclRight         = [System.DirectoryServices.ActiveDirectoryRights]::WriteDacl\n\ntry {\n    $domainDN    = ('DC=' + ($Domain -replace '\\.', ',DC='))\n    $domainEntry = [System.DirectoryServices.DirectoryEntry]\"LDAP://$domainDN\"\n    $domainAcl   = $domainEntry.get_objectSecurity()\n    $ewpSid      = (New-Object System.Security.Principal.NTAccount 'Exchange Windows Permissions').Translate([System.Security.Principal.SecurityIdentifier]).Value\n    $rules        = @($domainAcl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier]))\n\n    foreach ($guid in @($userClassGuid, $inetOrgPersonClassGuid)) {\n        $ace = $rules | Where-Object {\n            $_.IdentityReference.Value -eq $ewpSid -and\n            $_.ActiveDirectoryRights -band $writeDaclRight -and\n            $_.ObjectType -eq [Guid]::Empty -and\n            $_.InheritedObjectType -eq $guid\n        } | Select-Object -First 1\n        if ($null -eq $ace) {\n            Write-Host \"COMPLIANT: InheritedObjectType $guid — ACE absent (Exchange Windows Permissions holds no WriteDACL on the domain object for this class).\"\n        } elseif ($ace.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::InheritOnly) {\n            Write-Host \"COMPLIANT: InheritedObjectType $guid — ACE present, Inherit-Only flag is SET.\"\n        } else {\n            Write-Warning \"NON-COMPLIANT: InheritedObjectType $guid — ACE present, Inherit-Only flag is MISSING. WriteDACL applies to the domain object itself.\"\n        }\n    }\n} catch {\n    Write-Error \"Failed to read domain object DACL: $($_.Exception.Message)\"\n    Write-Host \"Ensure LDAP access to the domain and that the 'Exchange Windows Permissions' group exists.\"\n}\n\n# Remediation: install qualifying CU, then from the Exchange setup directory:\n#   .\\Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms_DiagnosticDataON\n# In each additional domain in the forest:\n#   .\\Setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms_DiagnosticDataON"

  },

  "considerations": "This control applies only when Exchange runs in the Shared Permissions model (the default). When AD Split Permissions is enabled, Exchange does not hold WriteDACL rights on the domain object and the control is not applicable. The fix requires Setup /PrepareAD plus Setup /PrepareDomain in every domain of the forest; /PrepareDomain does not run automatically for domains other than the one in which /PrepareAD is executed. The control is satisfied when the ACEs are absent from the domain object DACL as well as when they carry the Inherit-Only flag; both states mean Exchange Windows Permissions holds no effective WriteDACL right on the domain object itself. ExchangeSE builds always meet the minimum build requirement; however, compliance still requires that Setup /PrepareAD has been run — which is done automatically during initial Exchange setup. The control reports Warning rather than Fail when no installed Exchange build meets the minimum required version (Exchange 2016 CU12 or Exchange 2019 CU1), indicating that the qualifying cumulative update must be installed before /PrepareAD can apply the fix.",

  "roles": [

    "Mailbox"

  ]

}