Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

For a quick review of the questions on the list as of this morning:

Questions

• When BitLocker full disk encryption is used are disk sectors decrypted as they are read? What is the recommended/supported BitLocker configuration for use with AD-DS?
• Does Microsoft have a strategy for compliance with the Federal Identity, Credential, and Access Management (FICAM) requirements at LoA-2? If so, what is the time frame?
• Does Microsoft have a strategy for AD integration of non-Windows and old-Windows client platforms that will use NIST/FIPS approved algorithms? If so, what is the time frame?
• In the documentation of the NetUserChangePassword and NetUserSetInfo protocols it states that "The NetUserChangePassword function does not control how the oldpassword and newpassword parameters are secured when sent over the network to a remote server. Any encryption of these parameters is handled by the Remote Procedure Call (RPC) mechanism supported by the network redirector that provides the network transport." (similar language exists for NetUserSetInfo) Is it possible to limit the allowed RPC encryption types available to these functions?

• Review summary table and request verification. https://spaces.internet2.edu/x/BA8wAg
• Memory storage of authn secret in scope for 4.2.3.4? (I don't think this is a question for Microsoft. - DHW) (I agree--there isn't enough here for MS to say anything. Either needs to be more specific or dropped. - BA)
• Protected Channels - 4.2.3.6.1b - Gaps

       What encryption algorithms does Windows Secure Channel use?

       What's the impact of turning on the FIPS setting on all Domain Clients? What's the impact on Domain Controllers?

       RC4 HMAC encryption is not NIST or FIPS approved, and we would like to determine if it's comparable to those methodlogies that are. Can you help with this? (See http://www.incommon.org/assurance/alternativemeans.html for the criteria we will consider.)

 

 

My Thoughts:

1)      Bitlocker is for encryption at rest.   Once the system boots up, the decryption key is available for each “block” on the disk.  However, AD probably keeps everything (UserID/password hashes/Kerberos keys) in memory for speedy authentications.  Thus, Bitlocker is only protecting the data on the storage device so that if the computer were stolen or the drive removed, the data would be encrypted.  AES is always used so it would meet FIPS whether FIPS mode is on or off.

2)      Microsoft Strategy:  I’m sure they want to get to NIST/FIPS compliance with their products.  Clearly they are submitting them to the CMVP and Common Criteria for evaluations and certifications.  We should find out how far back the products are compliant such as VISTA or Server 2008 as a minimum?

3)      Storage of Authn Secret (4.2.3.4) – see #1 for in memory, but the bigger question is the data storage --- is there any way to get Active Directory to meet the Approved Algorithm requirements for encrypting the password database without turning on FIPS mode or using Bitlocker?  Will FIPS mode even encrypt the password database with Approved Algorithms?

4)      Is there any way to configure Active Directory to allow one group of users to only use Kerberos authentication and approved algorithm ciphers while allowing other users to still be able to use NTLM, LM, RC4-HMAC, etc?

 

Having read through the Common Criteria evaluation of Windows 7 and Server 2008, it appears Microsoft submitted many documents (that were not made public) that may go into the details we are looking for.  Maybe Microsoft can find answers for us in some of these documents?

 

5 Documentation

The following documentation was used as evidence for the evaluation of the Windows 7 and Windows Server 2008 R2:

5.1 Design Documentation

1. Microsoft Windows Common Criteria Evaluation Security Architecture, September 13, 2010

2. Admin Tools

5. Active Directory Delegation of Control Wizard (June 24 2010).docx

6. Active Directory Domains and Trusts Snap-in (June 26 2010).docx

7. Active Directory Sites and Services (June 28 2010).docx

8. Audit Policy Command Line Interface (Mar 30 2010).docx

9. Authorization Manager (June 3 2010).docx

10. BitLocker Drive Encryption Control Panel (May 6 2010).docx

40. Routing and Remote Access Snap-in (July 13 2010).docx

41. SAM Lock Tool (May 7 2010).docx

59. Windows Authentication User Interface (September 10 2010).docx

67. Cryptographic Support

68. BitLocker Drive Encryption Service (Dec 02 2009).docx

 

264. Security

265. Active Directory Replication Management (September 11, 2010).docx

266. Core Directory Service (September 9, 2010).docx

267. Credential Manager (June 3, 2010).docx

268. Credential Security Support Provider (Aug 2, 2010).docx

269. Data Protection API (May 12, 2010).docx

270. Directory Services Role Management (June 4, 2010).docx

271. Encrypting File System Service (September 10, 2010).docx

272. Inter-Site Messaging (September 10, 2010).docx

273. KDC Service (Sep 08 2010).docx

274. Kerberos Security Package (Sep 08 2010).docx

275. Key Isolation Service (June 7, 2010).docx

276. LDAP (September 11, 2010).docx

277. LSA Audit (March 17, 2010).docx

278. LSA Authentication (August 5, 2010).docx

279. LSA Policy (September 10, 2010).docx

280. MAPI Based Directory Request (September 9, 2010).docx

281. Microsoft Authentication, V1.0 (Sep 08 2010).docx

282. Microsoft Base Smart Card Crypto Provider (May 13, 2010).docx

283. Microsoft Digest Access (June 2, 2010).docx

284. Microsoft Smart Card Key Storage Provider (May 13, 2010).docx

285. Microsoft Smart Card Minidriver (July 08 2010).docx

286. Net Logon Services DLL (July 02, 2010).docx

287. NT Directory Service Backup and Restore (July 23, 2010).docx

288. PKI Trust Installation and Setup (May 3, 2010).docx

289. Protected Storage Server (May 12, 2010).docx

290. SAM Server (Sep 08 2010).docx

291. Secondary Logon Service (March 22, 2010).docx

292. TLS-SSL Security Provider (June 9, 2010).docx

293. Trust Signing APIs (May 21, 2010).docx

294. Windows Cryptographic Primitives Library (Sep 09 2010).docx

350. Winlogon

354. Local Session Manager (Apr 13 2010).docx

355. Secure Desktop with Credential User Interface (Apr 12 2010).docx

356. Syskey (May 24 2010).docx

357. Trust Verification APIs (Dec 22 2009).docx

358. Trusted Installer (Feb 23 2010).docx

360. Windows File Protection (Dec 28 2009).docx

361. Windows Logon Application (Sep 03 2010).docx

362. Windows Logon User Interface Host (Sep 03 2010).docx

 

SOURCE REFERENCE:  http://www.niap-ccevs.org/st/st_vid10390-vr.pdf

 

Windows 7 and Server 2008 R2, Validation Report, Version 0.1 24 March 2011

 

7. Evaluated Configuration

The evaluated configuration was tested in the configuration identified in this section. The evaluation results are valid for the various realizable combinations of configurations of hardware and software listed in this section.

TOE Software Identification – The following Windows Operating Systems (OS):

·         Microsoft Windows 7 Enterprise Edition (32-bit and 64-bit versions)

·         Microsoft Windows 7 Ultimate Edition (32-bit and 64-bit versions)

·         Microsoft Windows Server 2008 R2 Standard Edition

·         Microsoft Windows Server 2008 R2 Enterprise Edition

·         Microsoft Windows Server 2008 R2 Datacenter Edition

·         Microsoft Windows Server 2008 R2 Itanium Edition

 

The following security updates and patches must be applied to the above Windows 7 products:

·         All security updates as of September 14, 2010 as well as the updates associated with security bulletins MS10-073 and MS10-085, and hotfix KB2492505.

 

The following security updates must be applied to the above Windows Server 2008 R2 products:

·         All security updates as of September 14, 2010 as well as the updates associated with security bulletins MS10-073 and MS10-085, and hotfix KB2492505.

 

 

From: [mailto:] On Behalf Of David Walker
Sent: Tuesday, April 30, 2013 5:34 PM
To: InCommon AD Assurance Group
Cc: DHW
Subject: [AD-Assurance] Questions for Microsoft and Friday's call

 

Everyone,

A quick reminder that we agreed to finalize our questions for Microsoft ( https://spaces.internet2.edu/x/6oE_Ag ) in Friday's call.  Ann will be attending her son's graduation (and I may be half asleep, due to a late flight into Oakland the night before), so please get all of your questions onto the page before the call so we can resolve any final issues before the end of the call.

Remember that we want questions that will verify our assumptions and/or move us toward resolution of issues we've identified.

David