ad-assurance - RE: [AD-Assurance] RE: Action Items from May 10
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Ron Thielen <>
- To: "" <>
- Subject: RE: [AD-Assurance] RE: Action Items from May 10
- Date: Fri, 17 May 2013 18:43:36 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
I believe that without syskey the SAM password data is encrypted, but just with DES_ECB.
Also, from what I have read, the encryption key is known to be the user’s RID (Relative ID, part of their SID), so it doesn’t actually protect anything just obfuscates with a weak algorithm. I agree that RC4 is in play with syskey.
Everything I’ve read indicates that RC4 128 bit is the algorithm that syskey uses. One problem with syskey is that the default is to store the PEK in the registry.
Given enough, readily available, knowledge about how the PEK is secured
and used you can derive its value and then potentially decrypt the syskey protected data.
If we want to pursue this, I think we may need to recommend using a boot time passphrase or storage on a removable device that is indeed removed during normal operations. It might be worth noting that stealing the SAM database generally means that the attacker has already compromised administrative
credentials on the system. Since administrators of the IDMS have to have credentials that meet or exceed the requirements of the IAP profile being applied, there is a certain level of mitigation in place already.
Additionally technologies like IDS or file monitoring can be used to detect potential compromises and policies like ones requiring destruction of media for IDMS systems, e.g. we don’t let vendors take our hard drives replaced under maintenance. Ron From:
[mailto:] On Behalf Of Jeff Whitworth My understanding is that the database is encrypted even without syskey being used, but that it is fairly trivial to determine that key from the registry. Using syskey does bring in RC4 into the mix but the encryption key is based on the
syskey value instead data stored within LSA secrets. I may be a little off, but that is what I remember. I also believe that using syskey means the valueused for encryption is never written to disk, but is stored in memory. Jeff
Jeff Whitworth Manager, Enterprise Systems Architecture University of North Carolina at Greensboro 336.334.9854 MCITP: Enterprise Administrator GIAC Certified Windows Security Administrator On Fri, May 17, 2013 at 12:01 PM, Capehart,Jeffrey D <> wrote: Eric, Nice work. You are a Goodman**2. (That’s my geek-speek for ‘Goodman, you’re a good man’) I went back and read all the minutes from the previous cookbook discussion just so they would be
fresh. I had not realized that we had gone from 1.0 (NIST encryption) to 1.1 (industry standard) and now (1.2) back to NIST Approved Algorithm. Interesting. The entropy requirements seem to be leaned on heavily for the 2012 cookbook. To me, it makes more
sense to place the entropy in context, such that if someone can go out on the limb and say that an 8 character password with 10**14 entropy would be sufficient to mitigate the risks with Kerberos, then it becomes relevant to AD meeting “resist [replay, eavesdropper,
hijack]” rather than resistance-is-futile. I also thought that RC4 can come into play if SYSKEY is being used. What I am still not clear on
is whether the “password database” is encrypted if SYSKEY isn’t used. Is the Password Encryption Key used (supposedly RC4) if SYSKEY isn’t turned on? Just an overall comment about the document for the purposes of a “per-institution” version… the “fill-in-the-blank”
areas need to be made more explicitly clear that they need to be filled out so that they actually get filled out, rather than being left “blank.” Don’t forget to add a note on the version history when revisions are ready for broader review!
J Jeff
From:
[mailto:]
On Behalf Of David Walker
Eric,
Because the risk assessments are so out of phase with one another in the area of stored passwords, I didn’t see how to put in our commentary without completely rewriting (and revising)
the original AD cookbook suggestions, which I think bears more discussion – or at least we should alert the original group that we disagree – before actually making any edits of that magnitude.
On the other areas, we mostly agreed; I added a couple of comments, but there’s still lots of room for editing what I added. E.g., I say “add some of Jeff’s references here” rather than
actually having selected his best references. I’m willing to do that addition as well, I just didn’t get to it at this point. |
- [AD-Assurance] Action Items from May 10, Ann West, 05/10/2013
- [AD-Assurance] RE: Action Items from May 10, Eric Goodman, 05/16/2013
- Re: [AD-Assurance] RE: Action Items from May 10, David Walker, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Brian Arkills, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Capehart,Jeffrey D, 05/17/2013
- Re: [AD-Assurance] RE: Action Items from May 10, Jeff Whitworth, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Brian Arkills, 05/17/2013
- Re: [AD-Assurance] RE: Action Items from May 10, Jeff Whitworth, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/31/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/31/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Brian Arkills, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/17/2013
- Re: [AD-Assurance] RE: Action Items from May 10, Jeff Whitworth, 05/17/2013
- Re: [AD-Assurance] RE: Action Items from May 10, David Walker, 05/17/2013
- [AD-Assurance] RE: Action Items from May 10, Eric Goodman, 05/16/2013
Archive powered by MHonArc 2.6.16.