Meeting the InCommon Assurance profile criteria using Active Directory

["Michael W. Brogan" <>]

My thought is that our efforts to complete the third and fourth columns of the table at https://spaces.internet2.edu/x/BA8wAg would expose some knowledge gaps we would turn into questions for Microsoft. In addition there might be a set of statements for which we need verification.

 

Perhaps we could use footnotes within the table to link to a set of question tallied below the table?

 

I may not have the knowledge or time to complete columns 3 and 4, so I encourage others to contribute where they can.

 

--Michael

 

From: [mailto:] On Behalf Of Capehart,Jeffrey D
Sent: Thursday, March 21, 2013 12:19 PM
To:
Subject: [AD-Assurance] Questions for Microsoft?

 

Is there a list of questions for Microsoft prepared yet?

 

Somewhere we should have a running list of the questions so that they can be reviewed to make sure we are asking everything needed.

 

There are some great links out there on the Microsoft TechNet that get close to answering some questions.  Hopefully our Microsoft guys can refer us to any documentation that is out there that we may have missed.

 

Anyone have more/better links than these?

-Jeff

 

Password Storage

How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
http://support.microsoft.com/kb/299656

How to use the SysKey utility to secure the Windows Security Accounts Manager database
http://support.microsoft.com/kb/310105/en-us

 

How Interactive Logon Works

http://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx

 

·         Passwords Technical Overview http://technet.microsoft.com/en-us/library/hh994558(v=ws.10).aspx

·         Set the value for Store password using reversible encryption to Disabled.

o    http://technet.microsoft.com/en-us/library/hh994559(v=ws.10).aspx

·         Network access: Do not allow storage of passwords and credentials for network authentication

o    http://technet.microsoft.com/en-us/library/jj852185(v=ws.10).aspx

 

 

 

Kerberos Authentication for Microsoft Active Directory

http://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx

·         Shows Security Subsystem Components Used in Digest Authentication --- do they honor the FIPS setting?

·         Kerberos Authenticator Prevents Packet Replay

·         The Kerberos Key Distribution Center (KDC) uses the domain’s Active Directory Domain Service database as its security account database. Active Directory is required for default NTLM and Kerberos implementations.

·         Network security: Configure encryption types allowed for Kerberos

o   http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx

·         NTLMv2 is a challenge-response authentication protocol

o   http://en.wikipedia.org/wiki/NTLM

·         LAN Manager authentication level

o    http://technet.microsoft.com/en-us/library/jj852207(v=ws.10).aspx

 

 

An MVP - Directory Services explains Microsoft AD Passwords:  “The passwords are not stored in AD they are hashed and salted and then stored. When a user or device authenticates they transmit the hash that is also encrypted. When the DC receives the response for the password it decrypts it and then compares the transmitted hash to the stored hash.”

 

 

Enabling FIPS mode - http://support.microsoft.com/kb/811833

 

 

 

Alternative Means for using RC4-HMAC Encryption…?

Potential Alternative Means statement for RC4-HMAC, input/thoughts from Microsoft?

 

http://www.ietf.org/rfc/rfc6150.txt

The RC4-HMAC is supported in Microsoft's Windows 2000 and later versions of Windows for backwards compatibility with Windows 2000.  As [RFC4757] stated, RC4-HMAC doesn't rely on the collision resistance property of MD4, but uses it to generate a key from a password, which is then used as input to HMAC-MD5. For an attacker to recover the password from RC4-HMAC, the attacker first needs to recover the key that is used with HMAC- MD5.  As noted in [RFC6151], key recovery attacks on HMAC-MD5 are not yet practical.

 

For RC4-HMAC encryption, the Kerberos Standard is defined in RFC4757 as follows:

http://tools.ietf.org/html/rfc4757

 

 

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows

http://support.microsoft.com/kb/811833

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu