Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Notes from March 29

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Notes from March 29

Chronological Thread 
  • From: "Rank, Mark" <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Notes from March 29
  • Date: Mon, 1 Apr 2013 15:37:28 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none


Sounds like there was some excellent discussion last Friday. Sorry I was unable to make it.

Based on the notes, it sounds like there is a feeling that falls into the "not just AD 
problem". If that is a correct interpretation of the notes, I would tend to agree. I feel it is
only valuable to point it out for this exercise because of the tendency, especially as campuses
get smaller, to use AD to validate more services directly.  

Let me know if there is something specific I should be working on for other than my 
continued looking into background before the next meeting.

Please advise,

Mark Rank
Project Manager - Identity & Access Mgt
UCSF Information Technology Services (ITS)

From: [] on behalf of Michael W. Brogan []
Sent: Friday, March 29, 2013 2:42 PM
Subject: [AD-Assurance] RE: Notes from March 29



I took care of my first action item. The second action item referenced  1b, but it seems like the issue of Kerberos and SSL/TLS cipher suite configuration comes up in several places in the matrix. For now I’ve recorded what I found in the email.  





Whether Kerberos or SSL/TLS can provide a Protected Channel (i.e. the channel uses Approved Algorithms to thwart an identified set of threats) depends on the cipher suites that are configured for each.



Microsoft Kerberos has supported five cipher suites. The two weakest suites are disabled by default in Win2K8. Only Win2K8 and newer support AES encryption and only Win2K8 R2 supports AES-256. Only two cipher suites rely only on Approved Algorithms:





RC4-HMAC is enabled by default in Win2K8 and newer but does not rely on Approved Algorithms.


Kerberos References:

Windows Configurations for Kerberos Supported Encryption Type


Changes in Kerberos Authentication


Hunting down DES in order to securely deploy Kerberos



SSL/TLS is used to provide secure communication channels for services (e.g. HTTP, SMTP, LDAP). Protocol support comes from schannel.dll and it supports many cipher suites. The default enabled list includes many suites that rely on Approved Algorithms, but there are several suites that are not compliant, including one that is third in the list of preferences for negotiation.


SSL/TLS References:

Schannel Cipher Suites in Windows Vista (applied to Win2K8 as well)


How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (NT4 SP6 era, couldn’t find same info for Win2K8, may not be valid)




From: [mailto:] On Behalf Of Ann West
Sent: Friday, March 29, 2013 1:38 PM
Subject: [AD-Assurance] Notes from March 29



The Notes from today's call are available at:  Let me know if you have comments or corrections.


Action Items

David - Develop AM to abstract Ron's approach of using audit process lieu of technology controls. 
Michael - Need reference regarding LDAP signing in
Michael - AI - Michael to add recommendation to ensure chosen configuration of  services support Approved Algorithm encryption. in  1b. 


I have also started a page for MS Questions that's linked off the AD-Assurance home wiki page.



  • [AD-Assurance] RE: Notes from March 29, Rank, Mark, 04/01/2013

Archive powered by MHonArc 2.6.16.

Top of Page