Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Questions for Microsoft?

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Questions for Microsoft?

Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] Questions for Microsoft?
  • Date: Thu, 21 Mar 2013 19:18:51 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

Is there a list of questions for Microsoft prepared yet?


Somewhere we should have a running list of the questions so that they can be reviewed to make sure we are asking everything needed.


There are some great links out there on the Microsoft TechNet that get close to answering some questions.  Hopefully our Microsoft guys can refer us to any documentation that is out there that we may have missed.


Anyone have more/better links than these?



Password Storage

How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

How to use the SysKey utility to secure the Windows Security Accounts Manager database


How Interactive Logon Works


·         Passwords Technical Overview

·         Set the value for Store password using reversible encryption to Disabled.


·         Network access: Do not allow storage of passwords and credentials for network authentication





Kerberos Authentication for Microsoft Active Directory

·         Shows Security Subsystem Components Used in Digest Authentication --- do they honor the FIPS setting?

·         Kerberos Authenticator Prevents Packet Replay

·         The Kerberos Key Distribution Center (KDC) uses the domain’s Active Directory Domain Service database as its security account database. Active Directory is required for default NTLM and Kerberos implementations.

·         Network security: Configure encryption types allowed for Kerberos


·         NTLMv2 is a challenge-response authentication protocol


·         LAN Manager authentication level




An MVP - Directory Services explains Microsoft AD Passwords:  “The passwords are not stored in AD they are hashed and salted and then stored. When a user or device authenticates they transmit the hash that is also encrypted. When the DC receives the response for the password it decrypts it and then compares the transmitted hash to the stored hash.”



Enabling FIPS mode -




Alternative Means for using RC4-HMAC Encryption…?

Potential Alternative Means statement for RC4-HMAC, input/thoughts from Microsoft?

The RC4-HMAC is supported in Microsoft's Windows 2000 and later versions of Windows for backwards compatibility with Windows 2000.  As [RFC4757] stated, RC4-HMAC doesn't rely on the collision resistance property of MD4, but uses it to generate a key from a password, which is then used as input to HMAC-MD5. For an attacker to recover the password from RC4-HMAC, the attacker first needs to recover the key that is used with HMAC- MD5.  As noted in [RFC6151], key recovery attacks on HMAC-MD5 are not yet practical.


For RC4-HMAC encryption, the Kerberos Standard is defined in RFC4757 as follows:



System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows



Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882


Archive powered by MHonArc 2.6.16.

Top of Page