Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] update

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] update

Chronological Thread 
  • From: Brian Arkills <>
  • To: "" <>
  • Subject: [AD-Assurance] update
  • Date: Fri, 12 Apr 2013 15:58:09 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

I've updated the gaps cell for NTLMv2 was changed to remove the word "well" and Kerberos was changed to "Resists replay attack". is a pretty well-researched reference for hash passing attacks and replay attacks against Windows. Some possible alternative means could be culled from it for the NTLMv2 gap. The most notable/effective mitigation would be the "Restrict NTLM" setting which allows turning off NTLMv2. introduces this topic, with discussing the options first supported by Windows 7 & Windows Server 2008R2. It seems reasonable that you could require that level for DCs, but I might be off base.


I'm still running down some details on the Kerberos front around whether my change should be more nuanced.





Archive powered by MHonArc 2.6.16.

Top of Page