Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Notes from the 7/12/2013 AD Assurance conference call

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Notes from the 7/12/2013 AD Assurance conference call


Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] Notes from the 7/12/2013 AD Assurance conference call
  • Date: Fri, 12 Jul 2013 18:28:27 +0000
  • Accept-language: en-US

David,

 

Thanks for posting the notes.  Here are some things for everyone to think about.

 

Would we have any need to either supply or ask Microsoft for some insight on the password strength required to meet the intent of the “impractical” level?   The Microsoft guys might want us to tell them what level of impractical we want.  That would make it easier for them to tell us what will meet that level.  Or, they might tell us with Windows 8/Kerberos FAST armoring and disabling all NTLM that offline cracking would then be impractical.

 

I also think we may need to make it clear that we want their recommendation(s) to be able to work in an existing Windows AD environment that is at least Server 2008, using username/password, plus any additional “alternative means” necessary to meet the same or better security provided by Silver.  That is, we’re trying to avoid forcing 2-factor to be LOA 2 compliant.

 

The answers to the questions we have listed would help us decide amongst ourselves based on how Microsoft answers them.  I think we thought they would have an easier time with specific questions rather than theoretical or overly broad questions.   However, I am sure they frequently get asked if their product is “secure”.  We would be asking if it is secure to SP 800-63 Level 2, and/or how to get it there.

 

The typical way would include turning on the FIPS mode.  But we don’t know that institutions can require everyone to do that, or even if their server admins will be OK with it.  If we get the Microsoft guy on our call to say that is the only way to do it, will that be convincing enough for the recommendation of how to configure AD to meet Silver?  (same thing for Bitlocker, Kerberos, turning off LM/NTLM, etc.)

 

Jeff C.

 

From: [mailto:] On Behalf Of David Walker
Sent: Friday, July 12, 2013 1:20 PM
To: InCommon AD Assurance Group
Cc: DHW
Subject: [AD-Assurance] Notes from the 7/12/2013 AD Assurance conference call

 

Everyone,

I've posted quick notes from today's call at https://spaces.internet2.edu/x/SQJkAg .  Please correct anything I got wrong.

Don't forget that Microsoft will join our call in two weeks on Friday, 7/26, at noon EDT.  If there are no outstanding issues, we may cancel next Friday's call; stay tuned.

David


Archive powered by MHonArc 2.6.16.

Top of Page