Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Re: Internet2 A/D Call on Fri July 26th

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Re: Internet2 A/D Call on Fri July 26th


Chronological Thread 
  • From: Ann West <>
  • To: Phil West <>, "" <>
  • Cc: Adrian Wilson <>, Lamont Harrington <>, Chris Irwin <>, Chris Niehaus <>, Bill Hagen <>
  • Subject: [AD-Assurance] Re: Internet2 A/D Call on Fri July 26th
  • Date: Thu, 25 Jul 2013 19:08:52 +0000
  • Accept-language: en-US

Looping in the AD Assurance group.

Ann


From: Phil West <>
Date: Thursday, July 25, 2013 12:02 PM
To: Ann West <>
Cc: Adrian Wilson <>, Lamont Harrington <>, Chris Irwin <>, Chris Niehaus <>, Bill Hagen <>
Subject: RE: Internet2 A/D Call on Fri July 26th

<dropping some extraneous folks>

 

Ann,

 

After reading your feedback – it sounds like these scenarios will spark some great conversation.  Learning more about the USE CASES will help me dig for answers that are more tailored to their needs.

 

After a quick read … here are some thoughts:

 

With regards to Q1a – since it refers to the “Protected Channels within Silver Level Assurance 4.2.3.6.1b” – I am assuming that this question arises from the secured channels between domain controllers running AD-DS?  It would be helpful to understand WHAT SERVER VERSIONS are in use – since older server versions have inherent software limitations, as do older CLIENT versions?  Is there a baseline that says something like “Silver Assurance requires member institutes to be running a minimum of Windows Server 2008 R2, and clients must be XPsp3 or higher”?   We did have some question about NTLMv1, which gave me some corner – given its age and support lifespan.  I am just worried that we have such a wide array of versions, and that may cause issues with pushing towards a higher encryption such as AES.

Good topic for discussion.

 

With regards to Q3 – you are seeking to use BitLocker Whole-Disk Encryption on the actual Domain Controller?   Would this be used on remote DC’s that you are worried about getting stolen somehow?  For those instances, using a Read-Only Domain Controller (RODC) on WS08 Core installation with BitLocker is a suitable scenario.  For this situation, would the RODC hardware have a TPM chip or do they plan to use a BitLocker PIN upon startup?  Otherwise leaving the BitLocker USB Key installed sort of defeats the security angle.  What happens if a power reset needs to happen, or a remote reboot?

If the question stems from trying to insure that the AD-DS store of credentials are somehow encrypted twice (once by AD-DS, and again by BitLocker) – I don’t believe that is a valid situation.  BitLocker would prevent an offline theft of data assets (someone stole the server, ripped out the drives and tried to examine them), but once the DC is booted and running, then the credentials are not doubly-protected by BitLocker.

Another good topic for discussion.

 

As for Q4 – credentials are cached from AD onto a local client device – when that user logs into that client device and AD confirms the credentials.  That’s what allows a user to login subsequently, using the AD credentials, even when there is no network connection back to AD.  (This is often why, after changing your password in AD, it is best to LOCK and the UNLOCK your Windows machine – that keys the credential cache to happen.)  As far as other SERVICES that might have credentials cached – the Windows Azure Active Directory structure supports (excuse the very basic analogy) a “cloud version” of your Active Directory data (the storage mechanism, tree structure and access controls are different – but the idea is similar).  This is like the methodology for syncing credentials for Office365 users.  So, YES< there are Services that can be used to store credentials. 

If the question is more along the lines of – “is Microsoft somehow remembering or storing credential data on other services, like maybe DreamSpark, etc.” – then that actually triggers our PII scenario (personally identifiable information).  Details about Microsoft privacy can be obtained at http://privacy.microsoft.com/en-us/default.mspx.

Also a great topic for clarification and discussion.

 

 

I look forward to joining the call on Friday, along with my colleagues.

 

-Phil

 

 

 

 

 

 

 

 

From: Ann West []
Sent: Thursday, July 25, 2013 12:00 PM
To: Phil West; John Krienke; Ken Klingenstein; Nate Klingenstein; Khalil Yazdi
Cc: David Turner; Adrian Wilson; Lamont Harrington; Chris Irwin; Chris Niehaus; Bill Hagen;
Subject: Re: Internet2 A/D Call on Fri July 26th

 

Sounds good Phil.

 

I sent your responses to the AD Assurance group to get the discussion started and have cc'd them on this note as well. (For those of you who are interested in dropping off the thread as we dive down the rabbit hole here, please let me know.) 

 

First, many thanks for your thoughtful responses to our questions. They are a great start for our conversation on Friday. Below our replies to several of your questions:

 

Q1a. The group would like to engage you on methodologies we should use in lieu of RC4 to be compliant with the Assurance requirements for existing deployments.

 

Q3. We are referring to "Bitlocking" the Domain Controller with AD DS to meet the assurance requirement to only unencrypted passwords when needed. 

 

Q4. The group is more interested in whether credentials in AD DS  are replicated/stored by other Microsoft identity management components rather than how they are stored. Having them stored elsewhere is what puts those specific components in scope for the institution's assurance assessment. 

 

Looking forward to our conversation tomorrow.

 

Best,

Ann

 

 

 

 

From: Phil West <>
Date: Tuesday, July 23, 2013 8:01 AM
To: Ann West <>, John Krienke <>, Ken Klingenstein <>, Nate Klingenstein <>, Khalil Yazdi <>
Cc: David Turner <>, Adrian Wilson <>, Lamont Harrington <>, Chris Irwin <>, Chris Niehaus <>, Bill Hagen <>
Subject: RE: Internet2 A/D Call on Fri July 26th

 

OK, so let’s split this effort.

 

This Friday’s call will be with our core team and your AD Assurance Group – and we’ll plan to schedule a future session with David Turner – which should include John/Nate/Khalil/etc.

 

We’ll “see” you at noon on Friday!

 

Thanks!

-Phil

 

 

 

From: Ann West []
Sent: Tuesday, July 23, 2013 10:54 AM
To: Phil West; John Krienke; Ken Klingenstein; Nate Klingenstein; Khalil Yazdi
Cc: David Turner; Adrian Wilson; Lamont Harrington; Chris Irwin; Chris Niehaus; Bill Hagen
Subject: Re: Internet2 A/D Call on Fri July 26th

 

Phil,

 

Thanks for your flexibility!

 

I'll forward your responses and questions on to the AD Assurance list and loop folks in. We can further this specific discussion there.

 

Regarding the time, we have an hour, although if you would like more time, we can arrange that. The issue is getting the right folks on the call for the right topics. I doubt John, Ken, Nate and Khalil were planning to join the AD Assurance discussion since it will be pretty technical and detailed. I'm sure they would be interested in the broader InC/MS and Identity discussion though. So maybe we table the David Turner discussion this Friday and work on setting up a call for that in parallel? 

 

The AD Assurance call information is:

Fridays at Noon ET
+1-734-615-7474 
+1-866-411-0013
PIN: 0195240#

 

Best,

Ann

 

------------

Ann West

Assistant Director,

InCommon Assurance and Community

Internet2 based at Michigan Tech

 

office: +1.906.487.1726 

 

From: Phil West <>
Date: Tuesday, July 23, 2013 7:16 AM
To: Ann West <>, John Krienke <>, Ken Klingenstein <>, Nate Klingenstein <>, Khalil Yazdi <>
Cc: David Turner <>, Adrian Wilson <>, Lamont Harrington <>, Chris Irwin <>, Chris Niehaus <>, Bill Hagen <>
Subject: RE: Internet2 A/D Call on Fri July 26th

 

OK, this is great feedback.

 

How much time do we have on this call?

 

If we are shooting for an hour, maybe we can table the David Turner discussion until another session – to be scheduled later?  (If we have an extra 30 minutes, then we definitely want to take advantage of David Turner’s availability.)

 

For the Question List, I think our team has some questions on INTENT and RATIONALE that might help us to understand the predicament facing your customer groups.  Maybe we use the time to discuss the answers that I do have, plus gaining more knowledge on the other points that are still outstanding?

 

Regarding your AD-DS question list, here’s the current list (from https://spaces.internet2.edu/display/InCAssurance/Questions+for+Microsoft)  – with commentary and intended discussion points:

 

  1. Protected Channels - IAP 4.2.3.6.1b - Gaps
    1. RC4 HMAC encryption is not NIST or FIPS approved, and we would like to determine if it's comparable to those methodologies that are.  Can you help with this? (See http://www.incommon.org/assurance/alternativemeans.html for the criteria we will consider.)  RC4 HMAC is not considered a suitable encryption method moving forward, and its use within future deliverables is not practical.  Per Microsoft Crypto Standard Procedures, stream ciphers such as RC4 HMAC should be replaced with block ciphers such as AES with a minimum key length of 128 bits.
    2. Currently, it is not very practical to crack RC4 HMAC, even though it has long-known vulnerabilities.  If that were to change (e.g., a simple crack program posted on the Internet), does Microsoft have a response procedure for such compromises? How will this procedure protect Microsoft's customers that may be operating at LoA-2 via an alternate means exception?  Microsoft operates a vulnerability reporting mechanism via the Microsoft Security Response Center (MSRC).  This website documents the methodology of reporting, tracking and responding to any such vulnerability.
    1. What encryption algorithms does Windows Secure Channel use?  Based upon the user’s settings, the ALG_ID can be assigned to include settings such as 3DES, two-key 3DES @ 112bits, AES, AES @ 128bits, AES @ 192bits, AES @ 256bits, mutually-agreed algorithm via Diffie-Hellman, etc.  More details on algorithm choices @ http://msdn.microsoft.com/en-us/library/windows/desktop/aa375549(v=vs.85).aspx.Note that of these, only AES is considered strong and is approved. Also, if your definition of “encryption” for this question extends to asymmetric encryption/key exchange, SChannel also supports RSA, DH and ECDH. All of these are SDL-approved.
    1. What's the impact of turning on the FIPS setting on all Domain Clients? What's the impact on Domain Controllers?  [INVESTIGATING]
    2. As NIST has observed, the initial key used by Kerberos is typically encrypted only by the user's password, which enables brute force attacks against the password.  Does AD have mitigation for this?  Does NTLMv2 also have this vulnerability?  [NEWLY ADDED QUESTION, INVESTIGATING]
      1. For reference to this issue see NIST 800-63-1, the following sections: 
        1. Section 3: The definition of Kerberos on page 10, calling out known vulnerabilities against offline attacks
        2. Section 8.2.2, Footnote #26, which defines criteria for "impractical" eavesdropping attacks
        3. Section 9.3.2.2, describing that "...the use of Kerberos keys derived from user generated passwords is not permitted at Level 2 or above."
  1. What should one do to enable distinguishing between NTLM v1 and v2 in the logs? We would like to downgrade a user's assurance level if they access a service that employs NTLM v1.  To generalize, we're looking to detect the overall technical context of the authentication event: protocol, encryption algorithm, tunnel, client platform options, etc.  Is this information available?  [Escalated to Windows Security Product Team]
  2. When BitLocker full disk encryption is used are disk sectors decrypted only as they are read? What is the recommended/supported BitLocker configuration for use with AD-DS?  Need to understand further details on the background of this question, but – as a prescriptive aid, sectors are decrypted in memory as they are accessed via the BitLocker layer, and encrypted as they are written back to disk.  There is no wholesale decryption in practice.  Reference for BL and AD:  http://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx
  3. Does Syskey use NIST/FIPS Approved Algorithms for encryption?  SYSKEY used a 128-bit RC4 key.  I have escalated this question to Windows Security to get an up-to-date answer regarding the underlying algorithms used.  [INVESTIGATING]
  4. Are AD-DS password credentials replicated and stored by other Microsoft identity management components, such as ADFS or Azure services?  If so, what are those components?  Is this question relative to using the DirSync routine to replicate on-premises data to the cloud?  If so, then DirSync does replicate newly-created identities and credentials for use by services such as Office 365.
  5. Does Microsoft have a strategy for supporting compliance with the Federal Identity, Credential, and Access Management (FICAM) requirements at LoA-2, perhaps through Microsoft's partnership with the Kantara Initiative? If so, what is the time frame?  [INVESTIGATING]
  6. Does Microsoft have a strategy for AD integration of non-Windows and old-Windows client platforms that will use NIST/FIPS approved algorithms for transport of passwords over a network? If so, what is the time frame?  [INVESTIGATING]  Note:  many questions about older editions of Windows must be escalated to the Support team, as the Engineering teams no longer work on these releases.
  7. Is it possible to configure AD so that the NetUserChangePassword and NetUserSetInfo protocols require NIST approved algorithms for encrypting the session over which the password data is passed?  [INVESTIGATING]
  8. Reviewing "IAP Requirements and Gaps for Active Directory Domain Services" overall, are there other issues we should address?  [INVESTIGATING]

 

 

Many of these topics cover different pieces of Microsoft technology – so there are a large number of teams that provide pieces of the answers.

 

This list represents the current status, and I hope to have additional details by Friday.

 

 

So – let us know about the call length and call-in details.

 

Thanks!

-Phil

 

 

 

 

 

 

From: Ann West []
Sent: Tuesday, July 23, 2013 9:52 AM
To: Phil West; John Krienke; Ken Klingenstein; Nate Klingenstein; Khalil Yazdi
Cc: David Turner; Adrian Wilson; Lamont Harrington; Chris Irwin; Chris Niehaus; Bill Hagen
Subject: Re: Internet2 A/D Call on Fri July 26th

 

Hi Phil,

 

My apologies, but I thought the call on Friday was specifically about working through the issues around AD-DS being certified for the InCommon Assurance Program  (and Federal ICAM Program) and addressing the questions I sent earlier. Exploring broader priority list for identity and InCommon needs to be discussed for sure, but we would need to get together a different group to do that. Currently, I have the AD Assurance Community working group scheduled to meet with us.

 

So thinking about your agenda further, do you see Friday's schedule breaking down to, say, discussing AD-DS certification first, seeing how far we get, and then using the remaining time on the bigger identity issues? The AD-DS issue is time critical for us: a number of schools have stopped working on Assurance certification until we can provide guidance on how AD-DS can be made to comply. I think the bigger picture can wait for our next call together.

 

Thoughts?

 

Thanks,

Ann

 

-------

Ann West

Assistant Director,

InCommon Assurance and Community

Internet2 based at Michigan Tech

 

office: +1.906.487.1726 

 

From: Phil West <>
Date: Monday, July 22, 2013 12:59 PM
To: Ann West <>, John Krienke <>, Ken Klingenstein <>, Nate Klingenstein <>, Khalil Yazdi <>
Cc: David Turner <>, Adrian Wilson <>, Lamont Harrington <>, Chris Irwin <>, Chris Niehaus <>, Bill Hagen <>
Subject: Internet2 A/D Call on Fri July 26th

 

Ann and Crew…

 

I wanted to confirm that our team will be joining the call on this Friday (7/26) at Noon Eastern time (9am Pacific).

 

I have invited David Turner, who is a Standards PM on the Azure AD Team to join us.

 

For this initial call with your team, I would like to maximize David’s time by allowing him to explain our current direction on SAML interop testing and support.  In addition, with your team and other Internet2 members on the line – it would be great for David to garner feedback and discussion about your priority list for any extensions needed for the InCommon identity platform.  David is familiar with the www.incommonfederation.org website, but he is really looking for your input and guidance relative to a prioritization and rationale for items that might lie outside of the SAML standard.

 

Is it possible to get some “pre-work” data from you regarding the priority list and rationale for the InCommon unique requirements?  Also, would it be possible to know who will be attending the call from the Internet2 side?

 

 

With regards to the list of questions from the AD and O365 fronts, I am working those in parallel, so I will be able to address some of those (we can discuss some and I can forward details via email on others).  I am getting help from the Windows Active Directory team, as well as Windows Security.

 

 

I did want to take advantage of the “LIVE” time with David to really dig into the strategic SAML topic and understand the history and roadmap from the InCommon perspective.

 

Also – please send us the call logistics (phone numbers, codes, etc.) for the call.

 

THANKS!!

-Phil

 

 

 

 

phil west  : :  director of solutions development  : :  office of civic innovation  : :  u.s. public sector  : :  microsoft  : :  425.538.1179

Description: Description: Description: Civic_Tag cropped small

 

email_logo                 

 

This communication may contain privileged and confidential information. Use, disclosure, or retention of this information is prohibited if you are not the intended recipient. If you have received this message in error, please delete the message from your system.  Thank you.

 

 




Archive powered by MHonArc 2.6.16.

Top of Page