ad-assurance - [AD-Assurance] Questions for Microsoft?
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] Questions for Microsoft?
- Date: Thu, 21 Mar 2013 19:18:51 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
Is there a list of questions for Microsoft prepared yet? Somewhere we should have a running list of the questions so that they can be reviewed to make sure we are asking everything needed. There are some great links out there on the Microsoft TechNet that get close to answering some questions. Hopefully our Microsoft guys can refer us to any documentation that is out there that we may have missed. Anyone have more/better links than these? -Jeff Password Storage How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases How to use the SysKey utility to secure the Windows Security Accounts Manager database How Interactive Logon Works http://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx ·
Passwords Technical Overview
http://technet.microsoft.com/en-us/library/hh994558(v=ws.10).aspx ·
Set the value for Store password using reversible encryption
to Disabled.
o
http://technet.microsoft.com/en-us/library/hh994559(v=ws.10).aspx ·
Network access: Do not allow storage of passwords and credentials for network authentication
o
http://technet.microsoft.com/en-us/library/jj852185(v=ws.10).aspx Kerberos Authentication for Microsoft Active Directory http://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx ·
Shows Security Subsystem Components Used in Digest Authentication ---
do they honor the FIPS setting? ·
Kerberos Authenticator Prevents Packet Replay ·
The Kerberos Key Distribution Center (KDC) uses the domain’s Active Directory Domain Service database as its security account database. Active Directory is required for default NTLM and Kerberos implementations. ·
Network security: Configure encryption types allowed for Kerberos
o
http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx ·
NTLMv2 is a challenge-response authentication protocol
o
http://en.wikipedia.org/wiki/NTLM ·
LAN Manager authentication level
o
http://technet.microsoft.com/en-us/library/jj852207(v=ws.10).aspx An MVP - Directory Services explains Microsoft AD Passwords: “The passwords are not stored in AD they are hashed and salted and then stored. When a user or
device authenticates they transmit the hash that is also encrypted. When the DC receives the response for the password it decrypts it and then compares the transmitted hash to the stored hash.” Enabling FIPS mode - http://support.microsoft.com/kb/811833 Alternative Means for using RC4-HMAC Encryption…? Potential Alternative Means statement for RC4-HMAC, input/thoughts from Microsoft? http://www.ietf.org/rfc/rfc6150.txt
For
RC4-HMAC encryption, the Kerberos Standard is defined in RFC4757 as follows: http://tools.ietf.org/html/rfc4757 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of
Windows http://support.microsoft.com/kb/811833 Jeff Capehart, CISA |
- [AD-Assurance] Questions for Microsoft?, Capehart,Jeffrey D, 03/21/2013
- [AD-Assurance] RE: Questions for Microsoft?, Michael W. Brogan, 03/21/2013
- [AD-Assurance] RE: Questions for Microsoft?, Brian Arkills, 03/24/2013
- [AD-Assurance] RE: Questions for Microsoft?, Brian Arkills, 03/25/2013
- [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, Eric Goodman, 03/27/2013
- [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, Capehart,Jeffrey D, 03/27/2013
- Re: [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, David Walker, 03/27/2013
- RE: [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, Ron Thielen, 03/29/2013
- RE: [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, Brian Arkills, 03/29/2013
- RE: [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, Ron Thielen, 03/29/2013
- Re: [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, David Walker, 03/27/2013
- [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, Capehart,Jeffrey D, 03/27/2013
- [AD-Assurance] RE: Questions for Microsoft?/Matrix updates, Eric Goodman, 03/27/2013
- [AD-Assurance] RE: Questions for Microsoft?, Brian Arkills, 03/25/2013
Archive powered by MHonArc 2.6.16.