Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] 4.2.5.1 update

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] 4.2.5.1 update


Chronological Thread 
  • From: Brian Arkills <>
  • To: "" <>
  • Subject: [AD-Assurance] 4.2.5.1 update
  • Date: Fri, 12 Apr 2013 15:58:09 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport02.merit.edu; dkim=neutral (message not signed) header.i=none

I've updated the gaps cell for 4.2.5.1. NTLMv2 was changed to remove the word "well" and Kerberos was changed to "Resists replay attack".

 

http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219 is a pretty well-researched reference for hash passing attacks and replay attacks against Windows. Some possible alternative means could be culled from it for the NTLMv2 gap. The most notable/effective mitigation would be the "Restrict NTLM" setting which allows turning off NTLMv2. http://technet.microsoft.com/en-us/library/dd560653(v=ws.10).aspx introduces this topic, with http://technet.microsoft.com/en-us/library/jj865668(v=ws.10).aspx discussing the options first supported by Windows 7 & Windows Server 2008R2. It seems reasonable that you could require that level for DCs, but I might be off base.

 

I'm still running down some details on the Kerberos front around whether my change should be more nuanced.

 

-B

 

 


Archive powered by MHonArc 2.6.16.

Top of Page