Meeting the InCommon Assurance profile criteria using Active Directory

["Rank, Mark" <>]

Folks:

Sounds like there was some excellent discussion last Friday. Sorry I was unable to make it.

Based on the notes, it sounds like there is a feeling that 4.2.3.6.3 falls into the "not just AD 

problem". If that is a correct interpretation of the notes, I would tend to agree. I feel it is

only valuable to point it out for this exercise because of the tendency, especially as campuses

get smaller, to use AD to validate more services directly.  

Let me know if there is something specific I should be working on for 4.2.3.6.2/3 other than my 

continued looking into background before the next meeting.

Please advise,

Mark

--------------------------------------------------

Mark Rank
Project Manager - Identity & Access Mgt

UCSF Information Technology Services (ITS)
email:

phn:414-331-1476

--------------------------------------------------

---

From: [] on behalf of Michael W. Brogan []
Sent: Friday, March 29, 2013 2:42 PM
To:
Subject: [AD-Assurance] RE: Notes from March 29

All,

 

I took care of my first action item. The second action item referenced 4.2.3.6.  1b, but it seems like the issue of Kerberos and SSL/TLS cipher suite configuration comes up in several places in the matrix. For now I’ve recorded what I found in the email.  

 

--Michael

 

=========================

Whether Kerberos or SSL/TLS can provide a Protected Channel (i.e. the channel uses Approved Algorithms to thwart an identified set of threats) depends on the cipher suites that are configured for each.

 

Kerberos:

Microsoft Kerberos has supported five cipher suites. The two weakest suites are disabled by default in Win2K8. Only Win2K8 and newer support AES encryption and only Win2K8 R2 supports AES-256. Only two cipher suites rely only on Approved Algorithms:

 

AES256-CTS-HMAC-SHA1-96

AES128-CTS-HMAC-SHA1-96

 

RC4-HMAC is enabled by default in Win2K8 and newer but does not rely on Approved Algorithms.

 

Kerberos References:

Windows Configurations for Kerberos Supported Encryption Type

http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx

 

Changes in Kerberos Authentication

http://technet.microsoft.com/en-us/library/dd560670(v=ws.10).aspx

 

Hunting down DES in order to securely deploy Kerberos

http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx

 

SSL/TLS:

SSL/TLS is used to provide secure communication channels for services (e.g. HTTP, SMTP, LDAP). Protocol support comes from schannel.dll and it supports many cipher suites. The default enabled list includes many suites that rely on Approved Algorithms, but there are several suites that are not compliant, including one that is third in the list of preferences for negotiation.

 

SSL/TLS References:

Schannel Cipher Suites in Windows Vista (applied to Win2K8 as well)

http://msdn.microsoft.com/en-us/library/windows/desktop/ff468651(v=vs.85).aspx

 

How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (NT4 SP6 era, couldn’t find same info for Win2K8, may not be valid)

http://support.microsoft.com/kb/245030

 

 

 

From: [mailto:] On Behalf Of Ann West
Sent: Friday, March 29, 2013 1:38 PM
To:
Subject: [AD-Assurance] Notes from March 29

 

All,

The Notes from today's call are available at:

https://spaces.internet2.edu/display/InCAssurance/March+29%2C+2013  Let me know if you have comments or corrections.

 

Action Items

David - Develop AM to abstract Ron's approach of using audit process lieu of technology controls. 
Michael - Need reference regarding LDAP signing in 4.2.3.5
Michael - AI - Michael to add recommendation to ensure chosen configuration of  services support Approved Algorithm encryption. in 4.2.3.6.  1b. 

 

I have also started a page for MS Questions that's linked off the AD-Assurance home wiki page.

 

Ann