ad-assurance - RE: [AD-Assurance] RE: Action Items from May 10
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Ron Thielen <>
- To: "" <>
- Subject: RE: [AD-Assurance] RE: Action Items from May 10
- Date: Fri, 31 May 2013 22:11:07 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none
Okay, I finally found something from Microsoft that verifies that 128 bit RC4 is what
syskey uses for encryption. There are lots of, what I considered to be, non-authoritative sources that said this, but most of the Microsoft documentation doesn’t get so specific.
Then I found a gem of a document “Addressing a Commercial Grade Operating System Security Functional Requirement Set with Windows Vista and Server 2008.”
This 518 page document sets out to demonstrate how Vista and Server 2008 can meet a set
of security requirements for “commercial grade operating systems” that are drawn up from a variety of influences, including ISO 15408 CAPP, USGPP, SP 800-53, et al.
I haven’t dug through its entirety, but noted that it includes things like a section on FIPS 140-2 conformance.
I think we will want to spend some quality time with this paper. For syskey, if we write alternative means for RC4, then someone could make a case that
it suffices for the protection of stored secrets. Ron From:
[mailto:] On Behalf Of Ron Thielen Yes, and the “default stored locally” is what I was referring to when I talked about the key material being stored in the registry. Ron From:
[]
On Behalf Of Brian Arkills http://technet.microsoft.com/en-us/library/hh994564(v=ws.10).aspx has some explanation
of syskey. There are 3 modes: -syskey stored locally. This is the default. -syskey generated by the administrator and not stored anywhere. This option requires that at boot, someone interactively supply that syskey. -syskey stored on floppy (or apparently any removable media at a:\). This option also requires that at boot, someone provide the syskey via removable media. So syskey is used in all scenarios, it's just a matter of where it is stored that changes.
From:
[]
On Behalf Of Ron Thielen I believe that without syskey the SAM password data is encrypted, but just with DES_ECB. Also, from what I have read, the encryption key is known to be the
user’s RID (Relative ID, part of their SID), so it doesn’t actually protect anything just obfuscates with a weak algorithm. I agree that RC4 is in play with syskey. Everything I’ve read indicates that RC4 128 bit is the algorithm that syskey uses. One problem with syskey is that the default is to store the PEK in the registry. Given enough, readily available, knowledge about how the PEK is secured and
used you can derive its value and then potentially decrypt the syskey protected data. If we want to pursue this, I think we may need to recommend using a boot time passphrase or storage on a removable device that is indeed removed during normal operations. It might be worth noting that stealing the SAM database generally means that the attacker has already compromised administrative credentials on the system.
Since administrators of the IDMS have to have credentials that meet or exceed the requirements of the IAP profile being applied, there is a certain level of mitigation in place already. Additionally technologies like IDS or file monitoring can be used to
detect potential compromises and policies like ones requiring destruction of media for IDMS systems, e.g. we don’t let vendors take our hard drives replaced under maintenance. Ron From:
[]
On Behalf Of Jeff Whitworth My understanding is that the database is encrypted even without syskey being used, but that it is fairly trivial to determine that key from the registry. Using syskey does bring in RC4 into the mix but the encryption key is based on the
syskey value instead data stored within LSA secrets. I may be a little off, but that is what I remember. I also believe that using syskey means the valueused for encryption is never written to disk, but is stored in memory. Jeff
Jeff Whitworth Manager, Enterprise Systems Architecture University of North Carolina at Greensboro 336.334.9854 MCITP: Enterprise Administrator GIAC Certified Windows Security Administrator On Fri, May 17, 2013 at 12:01 PM, Capehart,Jeffrey D <> wrote: Eric, Nice work. You are a Goodman**2. (That’s my geek-speek for ‘Goodman, you’re a good man’) I went back and read all the minutes from the previous cookbook discussion just so they would be
fresh. I had not realized that we had gone from 1.0 (NIST encryption) to 1.1 (industry standard) and now (1.2) back to NIST Approved Algorithm. Interesting. The entropy requirements seem to be leaned on heavily for the 2012 cookbook. To me, it makes more
sense to place the entropy in context, such that if someone can go out on the limb and say that an 8 character password with 10**14 entropy would be sufficient to mitigate the risks with Kerberos, then it becomes relevant to AD meeting “resist [replay, eavesdropper,
hijack]” rather than resistance-is-futile. I also thought that RC4 can come into play if SYSKEY is being used. What I am still not clear on
is whether the “password database” is encrypted if SYSKEY isn’t used. Is the Password Encryption Key used (supposedly RC4) if SYSKEY isn’t turned on? Just an overall comment about the document for the purposes of a “per-institution” version… the “fill-in-the-blank”
areas need to be made more explicitly clear that they need to be filled out so that they actually get filled out, rather than being left “blank.” Don’t forget to add a note on the version history when revisions are ready for broader review!
J Jeff
From:
[mailto:]
On Behalf Of David Walker
Eric,
Because the risk assessments are so out of phase with one another in the area of stored passwords, I didn’t see how to put in our commentary without completely rewriting (and revising)
the original AD cookbook suggestions, which I think bears more discussion – or at least we should alert the original group that we disagree – before actually making any edits of that magnitude.
On the other areas, we mostly agreed; I added a couple of comments, but there’s still lots of room for editing what I added. E.g., I say “add some of Jeff’s references here” rather than
actually having selected his best references. I’m willing to do that addition as well, I just didn’t get to it at this point. |
- [AD-Assurance] Action Items from May 10, Ann West, 05/10/2013
- [AD-Assurance] RE: Action Items from May 10, Eric Goodman, 05/16/2013
- Re: [AD-Assurance] RE: Action Items from May 10, David Walker, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Brian Arkills, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Capehart,Jeffrey D, 05/17/2013
- Re: [AD-Assurance] RE: Action Items from May 10, Jeff Whitworth, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Brian Arkills, 05/17/2013
- Re: [AD-Assurance] RE: Action Items from May 10, Jeff Whitworth, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/31/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/31/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Brian Arkills, 05/17/2013
- RE: [AD-Assurance] RE: Action Items from May 10, Ron Thielen, 05/17/2013
- Re: [AD-Assurance] RE: Action Items from May 10, Jeff Whitworth, 05/17/2013
- Re: [AD-Assurance] RE: Action Items from May 10, David Walker, 05/17/2013
- [AD-Assurance] RE: Action Items from May 10, Eric Goodman, 05/16/2013
Archive powered by MHonArc 2.6.16.