MBS Debug
Mac Business Solutions

Advisory: macOS devices bound to Active Directory and CVE-2021-42287

Written by  Sean Rabbitt Friday, 11 February 2022 14:21 - (844)

Vulnerability details:

In the Fall of 2021, Microsoft identified a security issue present in Active Directory Domain Services (ADDS) known as CVE-2021-42287. This vulnerability may allow potential attackers to impersonate domain controllers. The issue is a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate, or PAC.

While Microsoft provided additional details regarding the issue, as well as, remediation guidance on their support website, administrators immediately discovered a subsequent issue stemming from taking corrective action: remediated servers no longer allowed macOS to bind itself to Active Directory.

Immediate steps to take:

Evaluate your environment: If your organization does not require its macOS fleet to bind to Active Directory domain controllers, no further action is necessary. However, many organizations with shared devices utilize binding to AD for centralized user account management.
Take steps to secure Active Directory: In the remediation steps above from Microsoft, set the registry key for PacRequestorEnforcement to “1” and test that macOS devices are able to communicate to the domain controller.

File feedback with Apple: If your workflow demands that devices be bound to AD, file feedback with Apple, clearly identifying how many devices are affected, use case and impact to your organization.

Plan for the future: Microsoft will begin enforcing domain controller validation on July 12, 2022. During this time, domain controllers will enter the Enforcement phase, which may cause macOS devices relying on ADDS to authenticate to be inaccessible, depending on your organization’s infrastructure. Organizations are advised to find alternative solutions for continuing business operations.

A future without binding:

Regardless of the actions that may be taken by Microsoft, changes in the way binding is implemented can make workflows harder to support. At the same time, the adoption of remote and hybrid work environments is clear, with many organizations are moving towards cloud-based device management, applications and services, access and identity services. Moving organizations; resources and infrastructure toward the cloud makes the functionality offered by binding to a domain increasingly less necessary.

Jamf Connect lets Apple computers running macOS provision user accounts with cloud identity credentials, secure account access with centralized administrative rights and keeps credentials in sync — on or offsite — without a bind to AD.

When working remotely, users can log in to their Mac with their institutional credentials — the same familiar username and password they would use on-premises. IT administrators decide who gets local account administrator rights with the power of the identity provider’s (IdP) cloud-based directory service. And help desks get fewer calls regarding forgotten passwords due to Single Sign-On (SSO) requiring users to remember just one password for all managed devices and services.

If working at the office, Jamf Connect uses the same credentials to obtain Kerberos certificates without a bind to Active Directory. The Kerberos tickets then allow seamless, secure access to shared resources onsite.

Limitations:

Managed Users or MDM-Enabled Users

Removing binding requires planning. Administrators should consider that all users who authenticate to a Mac with an AD account have access to user channel configuration profiles. In the absence of binding, only the first local account created during automated device enrollment or the user who enrolled the device in MDM in a user-initiated enrollment process will be able to take advantage of user-level configuration profiles.

To identify which profiles are scoped to the User Level, look in your MDM server for a complete listing of the Configuration Profiles applied to your organization’s fleet.

Evaluate how these configuration profiles are used on your fleet. If a device is issued 1:1, there should be little concern if a profile is applied to the computer level. To put it into perspective, if you’re the only person with keys to your car, does it really make a difference if your driver’s license is kept in your car or your wallet? Not really, so long as you meet the criteria of having one.

Some Cisco network security products track individual users on the network with user-level certificate-based access. Administrators should evaluate the need for this level of tracking or consider moving to modern cloud-based network security products, like Jamf Private Access.

802.1x RADIUS Networks

With Jamf Connect, the login screen requires network connectivity to authenticate against the cloud-based IdP. User-based 802.1x RADIUS access — either with a username and password or a certificate, are not possible in this scenario.

The login screen is owned by the root user. For security, root has no storage, no macOS Keychain to store credentials or certificates securely, and thus cannot use user-level credentials.

A managed device should use a managed certificate for access to managed networks. In this scenario, admins should configure computer-level applied configuration profiles with machine-based SCEP certificate access to RADIUS networks. This permits an added layer of security, assuring a device can always be accessible by administrators and MDM commands, even if no user is currently logged in.

Source: jamf.com. Learn more about Jamf

Photo 26138160 © James Group Studios, Inc. | Dreamstime.com