Subject: Meeting the InCommon Assurance profile criteria using Active Directory
- From: "Michael W. Brogan" <>
- To: "" <>
- Subject: [AD-Assurance] RE: Notes from March 29
- Date: Fri, 29 Mar 2013 21:42:30 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport03.merit.edu; dkim=neutral (message not signed) header.i=none
I took care of my first action item. The second action item referenced 18.104.22.168. 1b, but it seems like the issue of Kerberos and SSL/TLS cipher suite configuration comes up in several places in the matrix. For now I’ve recorded what I found in the email.
Whether Kerberos or SSL/TLS can provide a Protected Channel (i.e. the channel uses Approved Algorithms to thwart an identified set of threats) depends on the cipher suites that are configured for each.
Microsoft Kerberos has supported five cipher suites. The two weakest suites are disabled by default in Win2K8. Only Win2K8 and newer support AES encryption and only Win2K8 R2 supports AES-256. Only two cipher suites rely only on Approved Algorithms:
RC4-HMAC is enabled by default in Win2K8 and newer but does not rely on Approved Algorithms.
Windows Configurations for Kerberos Supported Encryption Type
Changes in Kerberos Authentication
Hunting down DES in order to securely deploy Kerberos
SSL/TLS is used to provide secure communication channels for services (e.g. HTTP, SMTP, LDAP). Protocol support comes from schannel.dll and it supports many cipher suites. The default enabled list includes many suites that rely on Approved Algorithms, but there are several suites that are not compliant, including one that is third in the list of preferences for negotiation.
Schannel Cipher Suites in Windows Vista (applied to Win2K8 as well)
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (NT4 SP6 era, couldn’t find same info for Win2K8, may not be valid)
The Notes from today's call are available at:
https://spaces.internet2.edu/display/InCAssurance/March+29%2C+2013 Let me know if you have comments or corrections.
David - Develop AM to abstract Ron's approach of using audit process lieu of technology controls.
I have also started a page for MS Questions that's linked off the AD-Assurance home wiki page.
- [AD-Assurance] Notes from March 29, Ann West, 03/29/2013
- [AD-Assurance] RE: Notes from March 29, Michael W. Brogan, 03/29/2013
Archive powered by MHonArc 2.6.16.