Meeting the InCommon Assurance profile criteria using Active Directory

[Ron Thielen <>]

Okay, I finally found something from Microsoft that verifies that 128 bit RC4 is what syskey uses for encryption.  There are lots of, what I considered to be, non-authoritative sources that said this, but most of the Microsoft documentation doesn’t get so specific.  Then I found a gem of a document “Addressing a Commercial Grade Operating System Security Functional Requirement Set with Windows Vista and Server 2008.”

 

This 518 page document sets out to demonstrate how Vista and Server 2008 can meet a set of security requirements for “commercial grade operating systems” that are drawn up from a variety of influences, including ISO 15408 CAPP, USGPP, SP 800-53, et al.  I haven’t dug through its entirety, but noted that it includes things like a section on FIPS 140-2 conformance.  I think we will want to spend some quality time with this paper.

 

For syskey, if we write alternative means for RC4, then someone could make a case that it suffices for the protection of stored secrets.

 

Ron

 

From: [mailto:] On Behalf Of Ron Thielen
Sent: Friday, May 17, 2013 2:11 PM
To:
Subject: RE: [AD-Assurance] RE: Action Items from May 10

 

Yes, and the “default stored locally” is what I was referring to when I talked about the key material being stored in the registry.

 

Ron

 

From: [] On Behalf Of Brian Arkills
Sent: Friday, May 17, 2013 2:01 PM
To:
Subject: RE: [AD-Assurance] RE: Action Items from May 10

 

http://technet.microsoft.com/en-us/library/hh994564(v=ws.10).aspx has some explanation of syskey. There are 3 modes:

-syskey stored locally. This is the default.

-syskey generated by the administrator and not stored anywhere. This option requires that at boot, someone interactively supply that syskey.

-syskey stored on floppy (or apparently any removable media at a:\). This option also requires that at boot, someone provide the syskey via removable media.

 

So syskey is used in all scenarios, it's just a matter of where it is stored that changes.

 

From: [] On Behalf Of Ron Thielen
Sent: Friday, May 17, 2013 11:44 AM
To:
Subject: RE: [AD-Assurance] RE: Action Items from May 10

 

I believe that without syskey the SAM password data is encrypted, but just with DES_ECB.  Also, from what I have read, the encryption key is known to be the user’s RID (Relative ID, part of their SID), so it doesn’t actually protect anything just obfuscates with a weak algorithm.

 

I agree that RC4 is in play with syskey.  Everything I’ve read indicates that RC4 128 bit is the algorithm that syskey uses.

 

One problem with syskey is that the default is to store the PEK in the registry.  Given enough, readily available, knowledge about how the PEK is secured  and used you can derive its value and then potentially decrypt the syskey protected data.  If we want to pursue this, I think we may need to recommend using a boot time passphrase or storage on a removable device that is indeed removed during normal operations.

 

It might be worth noting that stealing the SAM database generally means that the attacker has already compromised administrative credentials on the system.  Since administrators of the IDMS have to have credentials that meet or exceed the requirements of the IAP profile being applied, there is a certain level of mitigation in place already.  Additionally technologies like IDS or file monitoring can be used to detect potential compromises and policies like ones requiring destruction of media for IDMS systems, e.g. we don’t let vendors take our hard drives replaced under maintenance.

 

Ron

 

From: [] On Behalf Of Jeff Whitworth
Sent: Friday, May 17, 2013 11:22 AM
To:
Subject: Re: [AD-Assurance] RE: Action Items from May 10

 

My understanding is that the database is encrypted even without syskey being used, but that it is fairly trivial to determine that key from the registry.  Using syskey does bring in RC4 into the mix but the encryption key is based on the syskey value instead data stored within LSA secrets.  I may be a little off, but that is what I remember.  I also believe that using syskey means the valueused for encryption is never written to disk, but is stored in memory.

 

Jeff

Jeff Whitworth

Manager, Enterprise Systems Architecture

University of North Carolina at Greensboro

336.334.9854

 

MCITP: Enterprise Administrator

GIAC Certified Windows Security Administrator

 

On Fri, May 17, 2013 at 12:01 PM, Capehart,Jeffrey D <> wrote:

Eric,

 

Nice work.  You are a Goodman**2.  (That’s my geek-speek for ‘Goodman, you’re a good man’)

 

I went back and read all the minutes from the previous cookbook discussion just so they would be fresh.  I had not realized that we had gone from 1.0 (NIST encryption) to 1.1 (industry standard) and now (1.2) back to NIST Approved Algorithm.  Interesting.

 

The entropy requirements seem to be leaned on heavily for the 2012 cookbook.  To me, it makes more sense to place the entropy in context, such that if someone can go out on the limb and say that an 8 character password with 10**14 entropy would be sufficient to mitigate the risks with Kerberos, then it becomes relevant to AD meeting “resist [replay, eavesdropper, hijack]” rather than resistance-is-futile.

 

I also thought that RC4 can come into play if SYSKEY is being used.  What I am still not clear on is whether the “password database” is encrypted if SYSKEY isn’t used.  Is the Password Encryption Key used (supposedly RC4) if SYSKEY isn’t turned on?

 

Just an overall comment about the document for the purposes of a “per-institution” version… the “fill-in-the-blank” areas need to be made more explicitly clear that they need to be filled out so that they actually get filled out, rather than being left “blank.”

 

Don’t forget to add a note on the version history when revisions are ready for broader review! J

Jeff

 

From: [mailto:] On Behalf Of David Walker
Sent: Friday, May 17, 2013 11:32 AM

To:
Subject: Re: [AD-Assurance] RE: Action Items from May 10

 

Eric,

This is good stuff.  As a general comment, I think it's fine for us to disagree with the earlier cookbook group.  I say we go ahead with the changes we feel are appropriate and ask them to review our version when we get to a point where it's reviewable.

Some further comments below...

David

On Fri, 2013-05-17 at 02:02 +0000, Eric Goodman wrote:

• Eric to take a first cut at reviewing the Cookbook and develop recommendations for what to keep, cut, and edit.

 

So this one turned out to be quite a bit more challenging than I expected. (It didn’t help that I didn’t really get started on it until today).

 

My edits were – probably unwisely – made on a second copy of the original cookbook (Called “Working copy of …” rather than just the AD cookbook title).

 

https://spaces.internet2.edu/display/InCAssurance/Working+copy+of+InCommon+Silver+with+Active+Directory+Domain+Services+Cookbook+-+May+2013

 

This resulted in page to be harder to find, without adding any value since Confluence would have saved the original pre-edit version anyway. If I can figure out how to move my copy back into the original one, I’ll do that and delete this alternate copy.

 

 

In any case, some major disagreement between the AD cookbook analysis and the Alternative Means strategies we identified around stored passwords. Specifically, the AD cookbook states that the specification of the use of salt is over-prescriptive and basically states that the entire requirement (of using a salt, or on access encryption) is unnecessary. Therefore there is no clear “stub” for us to note the need of Bitlocker (though the use of Bitlocker is encouraged). This conclusion is largely due to the Cookbook misapplying (in my estimation) the entropy requirements against brute force password guessing to the protection of passwords at rest (see my comments in the doc).

I agree that password entropy and encryption at rest are not interchangeable.  I think we can state that as a disagreement with the earlier group and make our Bitlocker statement.

Because the risk assessments are so out of phase with one another in the area of stored passwords, I didn’t see how to put in our commentary without completely rewriting (and revising) the original AD cookbook suggestions, which I think bears more discussion – or at least we should alert the original group that we disagree – before actually making any edits of that magnitude.

I think we agreed to keep a copy of the 2012 Cookbook.  We should feel free to make any changes we see as needed.  As I said, we can ask for the earlier group's input.

On the other areas, we mostly agreed; I added a couple of comments, but there’s still lots of room for editing what I added. E.g., I say “add some of Jeff’s references here” rather than actually having selected his best references. I’m willing to do that addition as well, I just didn’t get to it at this point.

 

I’d like to see the document better formatted to clarify what sections are background info, what are specific operating configuration recommendations, and what is language to use to assert (non-AM) compliance, but I haven’t quite sussed out how to do that yet. For now, I squeezed in our two main additional differences (Require Bitlocker, require invalidating subjects using insecure authentication protocols), and tagged the base disagreements between the two groups. In the doc, my comments are identified with text inside of <<double angle brackets>>.

 

--- Eric