[Feature Request] check for excessive permissions assigned in AD to Exchange groups using HealthChecker

[boogieshafer]

Is your request related to a problem? Please describe.
A clear and concise description of what the problem is and the results it had on the environment.

Exchange is an application that has historically been granted an excessive amount of permissions at the Active Directory level

The split permissions models can reduce some of these, but its probably worth having some checks built into HealthChecker that scan for excessive permissions assigned to the Exchange related groups (perhaps these were added manually) or still existing even after a switch to a split permissions model

Describe The Request
A clear and concise description of the feature to add to a current tool or a new tool with what we all want to be checking with examples.

the goal of these checks would be to make the risks of these low level permissions visible to Exchange and domain admins in order to better isolate a compromise in Exchange to just that application and not have it immediately become a domain wide compromise to the entire directory

Additional context
Add any other context or screenshots about the feature request here.

article below has references to several resources on the topic
reference: https://www.hub.trimarcsecurity.com/post/mitigating-exchange-permission-paths-to-domain-admins-in-active-directory

[dpaulson45]

@boogieshafer I am pretty sure this issue that was called out in the above article is actual this CVE that we included part of May 2022. https://techcommunity.microsoft.com/blog/exchange/released-may-2022-exchange-server-security-updates/3301831

If that is true, what else is needed?

[boogieshafer]

1. reporting the permissions model currently in use in the healthchecker script
2. specific checks for the specific items mentioned in the trimarc article

e.g.

Trimarc has discovered Exchange having elevated permissions in AD in many customer environments while performing Active Directory Security Assessments (ADSAs). Some of the Exchange permissions discovered during Trimarc ADSAs:

   · Organization Management has Full Control ("GenericAll") rights at the domain root. 

   · Exchange Trusted Subsystem has Full Control ("GenericAll") rights at the domain root. 

   · Exchange Recipient Administrators has Full Control ("GenericAll") rights at the domain 
     root. 

   · Exchange Windows Permissions has Modify Permissions ("WriteDACL") rights at the 
    domain root.

[dpaulson45]

@lusassl-msft can you review this?

[lusassl-msft]

Ack will review this.

[boogieshafer]

another item ive seen is
"Exchange Servers" group having write access to msDS-KeyCredentialLink attribute on tier0 accounts

--> it seems like this gets set during the PrepareAD or PrepareDomains process on the account that runs that step

i'm not at all clear why that permission would be necessary