Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

Here’s a fairly recent (2011) document from the US CERT Cyber Alert System which says (in addition to following NIST SP800-53) that administrators should…

 

Consider adding the following measures to your password and account protection plan.

·         Use a two factor authentication method for accessing privileged root level accounts.

·         Use minimum password length of 15 characters for administrator accounts.

·         Require the use of alphanumeric passwords and symbols.

·         Enable password history limits to prevent the reuse of previous passwords.

·         Prevent the use of personal information as password such as phone numbers and dates of birth.

·         Deploy NTLMv2 as the minimum authentication method and disable the use of LAN Managed passwords.

·         Use minimum password length of 8 characters for standard users.

·         Disable local machine credential caching if not required through the use of Group Policy Object (GPO). For more information on this topic see Microsoft Support articles 306992 and 555631.

·         Deploy a secure password storage policy that provides password encryption.

 

http://www.us-cert.gov/ncas/alerts/TA11-200A

 

OK, so when CERT says “LAN Managed passwords” we’re savvy enough to know that means LM HASH.

 

CERT recommends using NTLMv2 and disabling LM hash. Both agree with the AD Cookbook.

 

The password composition, history, length, and dictionary-type checks speak to the entropy requirement in both Bronze and Silver profiles.

 

I think we have already determined that even for Bronze level passwords, the minimum entropy should be sufficient for Kerberos protocol to meet the Resist Replay, Resist Eavesdropper, Resist Hijack, weak MitM, etc.

 

US CERT has many more recommendations for general security, but the above may be reasonable as an authoritative reference to say that US CERT recommends NTLMv2 as a minimum, which should help in an alternative means proposal when developing the specific text to use for the assertion, or for the documentation for why and how regarding comparable or superior.

 

I can see that it may be challenging to claim that NTLMv2 is comparable or superior to Kerberos, and probably even tougher compared with Kerberos keys in the AES ciphers.  The RC4-HMAC issue comes up here too, as well as MD5.  Comparable in terms of being encrypted, yes.  Can a claim be made for strong enough encryption at 8 characters?  9?  12?  15?  It is clear that the algorithm is not approved.  Are there any comparable terms such as comparably strong cryptographic hashing?

 

Again, this is just one authority to reference when developing an alternative means proposal.  But it is one that actually says “Deploy NTLMv2 as the minimum.”

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu