Subject: Meeting the InCommon Assurance profile criteria using Active Directory
[AD-Assurance] RE: Action Item from 3/22 (AD password store replication)
- From: Ron Thielen <>
- To: "" <>
- Subject: [AD-Assurance] RE: Action Item from 3/22 (AD password store replication)
- Date: Thu, 28 Mar 2013 21:53:47 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
Thanks Lee. I believe that the Approved Algorithms are defined in http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf and http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
Below is my findings about password store replication
1. The domain controllers use Kerberos security to secure (authenticate and encrypt) the replication traffic between the domain controllers (IP-RPC). SMTP replication is optional and supported only for inter-site replication and restricted only to non-domain data (schema, configuration, and global catalog updates), it also requires a PKI infrastructure (CA) when used over inter-site links.
2. Password Changes and urgent notifications are done directly to the PDC emulator, then propagated to the other domain controllers using normal replication, if the PDC is not available, the normal replication schedule is used
3. When read only domain controllers are used, there is a password caching policy that need to defined to restrict (allow/deny) the list/groups of passwords that can be cached on the domain controller. ** Recommended configuration is no accounts cached
4. For AES 128 & 256 Kerberos protocol support. In order for the TGT to be issued using AES, the domain functional level has to be Windows 2008 or higher and the password needs to be changed after the domain functional level has been raised.
5. For inter-site replication across a firewall where Kerberos usage across the firewall is not preferred, IPSec can be used to encapsulate the connection. IPSec can also be used in conjunction with Kerberos to further secure the replication traffic.
I’ve been going through the documentation, but I’ve not been able to find a clear definition of what the approved encryption algorithms for the IAP should be. If the minimum requirement is using AES, then the recommendation would be to ensure that the functional domain level, is at least at 2008 Functional Level.
How Active Directory Replication model works - http://technet.microsoft.com/en-us/library/cc772726 (v=WS.10).aspx
Understanding Replication between sites - http://technet.microsoft.com/en-us/library/cc771251.aspx
Password Replication Policy - http://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
Understanding Active directory domain services (AD DS) Functional Levels - http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels (v=ws.10).aspx
Active Directory Replication Over firewalls - http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx#Enacpsulating
Let me know if you have any questions.
Administrative Computing and Telecommunications/Information Technology Infrastructure(ACT/ITI)
The notes from today's call are available at:
Ron will upload Bit Locker information to the wiki.
Michael to update the existing rows to reflect today's discussion.
Friday March 29 at Noon ET
Agenda: Ron's AM, updates to AIs and impacts on the matrix, next matrix criteria
- [AD-Assurance] RE: Action Item from 3/22 (AD password store replication), Amenya, Lee, 03/28/2013
- [AD-Assurance] RE: Action Item from 3/22 (AD password store replication), Ron Thielen, 03/28/2013
Archive powered by MHonArc 2.6.16.