Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

David,

I would say the specific AD-related issues would be the set of detections that indicate “non-compliant” behavior, as already defined by the cookbook or the gaps analysis.  Some event log ID’s that indicated some known bad-behavior are:

 

#2889: Unsigned LDAP binds

#4624: NTLMv1 logins?

 

But… what about event ID’s 8004 or 8003?

 

Here was another site I found that might help.

-Jeff

 

http://windowsitpro.com/group-policy/q-how-can-i-find-out-if-my-clients-are-using-ntlm-authentication-instead-kerberos-again

 

Whenever the NTLM protocol is used for authentication, an event with ID 8004 shows up in a Windows Server 2008 R2 DC's log, an event with ID 8003 shows up in a Windows Server 2008 R2 member server's log, and an event with ID 8001 appears in a Windows 7 client's log

Windows 7 and Windows Server 2008 R2 include new Group Policy settings that let you audit, analyze, and restrict NTLM authentication use in your Windows environment. Microsoft introduced three security policy settings you can use for auditing NTLM traffic. The settings are stored in the following Group Policy Object (GPO) container: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. They're called:

• Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
• Network security: Restrict NTLM: Audit NTLM authentication in this domain
• Network security: Restrict NTLM: Audit Incoming NTLM Traffic

You should enable the Restrict NTLM: Audit NTLM authentication in this domain setting only on your Windows Server 2008 R2 domain controllers (DCs). To enable it, choose the Enable all option in the Microsoft Management Console (MMC) GPO Editor snap-in.

You can use the other two settings -- Restrict NTLM: Outgoing NTLM traffic to remote servers and Restrict NTLM: Audit Incoming NTLM Traffic -- for auditing NTLM authentication traffic on all Windows 7 and Windows Server 2008 R2 computers. To enable auditing for the first setting, choose the Audit all option, as Figure 1 shows; to enable auditing for the latter setting, choose the Enable auditing for all accounts option.

 

 

From: [mailto:] On Behalf Of David Walker
Sent: Monday, April 01, 2013 3:51 PM
To:
Subject: Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT

 

Thanks, Jeff; I've made the wording changes.  See my next note, though, about the advisability of a very general Alternative Means statement, as I've proposed.

I agree with you about password change requirements.  Do you see a specific AD-related issue here, or is it more a comment on the credential compromise section of the IAP that I referenced?

David

On Mon, 2013-04-01 at 17:31 +0000, Capehart,Jeffrey D wrote:

Additional word-smithing suggestions:

 

"When compliance with a specific requirement in the IAP depends on a Subject's behavior, and preventing that behavior from occurring is not practical, it is acceptable to comply through the use of a monitoring and mitigation program that detects non-compliant behavior and revokes the Subject's eligibility for affected profiles within 72 hours.”

 

On the monitoring program, an automated monitoring & revocation would certainly be preferable to manual monitoring, but perhaps a mix of automated monitoring and manual revocation (by any one member of a team of more than one) might be ok too.

 

One aspect that does not appear to be addressed is that if the credential is to be considered compromised (maybe the attacker now knows your password), then there does not appear to be a remediation that includes requiring the user to change their password.  Making the user change their password every time it is potentially exposed would be a good motivator to make them try to figure out a way to resolve so that they can be recertified.

 

If the user is re-certified without requiring a password change, then is the additional risk truly mitigated?

 

In consideration of the AM proposal against the AM guidelines/requirements,

 

1.      Cites which specific components are being addressed?  NO

2.      The reason for proposal (intent)?        YES

3.      Which risks are exposed here and how mitigated?  NO (vague risks – non protection of passwords, non-compliance with IAP)

4.      Specific text for IdPO management? SOME

5.      Includes documentation? NO – but may be specific to a particular implementation method

 

Jeff

 

 

From: [] On Behalf Of David Walker
Sent: Monday, April 01, 2013 12:59 PM
To: Rank, Mark
Cc:
Subject: Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT

 

Eric, Mark, et al,

Some thoughts:

• In thinking how address Eric's comment about the kinds of non-compliance we would allow here, it occurred to me that maybe we don't really care too much, as long as it's corrected quickly.  It had also occurred to me that I hadn't said anything about how quickly non-compliant behavior had to be detected, so I change the "72 hours after detection" requirement to just "72 hours."
• Mark had some good comments to clarify what we mean by policy and education, but I realized that there are already expectations that the IdPO has policy and education for its community members, so I dropped those.

So, I've changed the statement on https://spaces.internet2.edu/x/zoE_Ag to say "When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring through technical means, it is acceptable to comply through the use of a monitoring and mitigation program that detects non-compliant behavior and revokes the Subject's eligibility for affected profiles within 72 hours."

What do you think?  Would it help to add some more specific about AD to the discussion?  I was avoiding pointing fingers, but it might help with understanding of what we're trying to do.

David

On Mon, 2013-04-01 at 15:31 +0000, Rank, Mark wrote:

David et al.:

 

Just word smithing a bit...

 

Instead of...

 

"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, it is acceptable to comply through the use of policy, education, and monitoring for non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."

 

how about...

 

"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, valid compensating controls may be considered. Proposed valid compensating controls would be an acceptable use policy that includes a recurring education component and a monitoring program to detect and report non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."

 

Regards,

Mark

 

--------------------------------------------------

Mark Rank
Project Manager - Identity & Access Mgt

UCSF Information Technology Services (ITS)
email:

phn:414-331-1476

--------------------------------------------------

---

From: [] on behalf of David Walker []
Sent: Friday, March 29, 2013 11:15 AM
To:
Cc: DHW
Subject: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT



 

Everyone,

I've drafted a proposed alternative means to address the general case of non-compliance due to end-user use of non-compliant technology (e.g., something that uses unencrypted LDAP against AD):

https://spaces.internet2.edu/x/zoE_Ag


Comments welcome.

David