Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

More “Just in Time” document editing!

 

Here’s a more aggressive rewrite of the AD Cookbook incorporating our comments.

 

Specific goals of the rewrite:

1)      Separate out the discussion of the issues from the specific configuration and assessment recommendations.

2)      Modify the document where we had different thoughts

a.       E.g., BitLocker as a requirement rather than just a good idea, removal of entropy discussion from the “passwords at rest” section.

3)      Add in references to our Alternative Means documents as appropriate

a.       Monitor and Mitigate, expected “NTLMv2 is just dandy”

b.      Note: I haven’t added any of the references Jeff sent in the last three days

4)      Consolidate repetitious requirements descriptions (the description of how to enforce IP Sec or LDAP signing was repeated for 3 or 4 different IAP sections)

 

https://spaces.internet2.edu/display/InCAssurance/InCommon+Silver+with+Active+Directory+Domain+Services+Cookbook+-+May+2013

 

I still scattered some questions around in the document where the original AD Cookbook recommendations had not been further reviewed by us – or I forgot if it was. (Most notably around use of Syskey mode 2/3, Intrusion Detection as compensating controls for password at rest management, specific replay attack prevention advice.)

                     

There’s also a “Potpourri” section at the top for issues that aren’t woven into the document at this point.

 

I did not make any alterations to the appendices, and I didn’t review them to see if perhaps I should have in this go round.

 

--- Eric