ad-assurance - [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Ann West <>
- To: "" <>
- Subject: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th
- Date: Fri, 26 Jul 2013 16:18:19 +0000
- Accept-language: en-US
Ann West
Assistant Director,
InCommon Assurance and Community
Internet2 based at Michigan Tech
office: +1.906.487.1726
From: Phil West <>
Date: Thursday, July 25, 2013 12:02 PM To: Ann West <> Cc: Adrian Wilson <>, Lamont Harrington <>, Chris Irwin <>, Chris Niehaus <>, Bill Hagen <> Subject: RE: Internet2 A/D Call on Fri July 26th <dropping some extraneous folks> Ann, After reading your feedback – it sounds like these scenarios will spark some great conversation. Learning more about the USE CASES will help me dig for answers
that are more tailored to their needs. After a quick read … here are some thoughts: With regards to Q1a – since it refers to the “Protected Channels within Silver Level Assurance 4.2.3.6.1b” – I am assuming that this question arises from
the secured channels between domain controllers running AD-DS? It would be helpful to understand
WHAT SERVER VERSIONS are in use – since older server versions have inherent software limitations,
as do older CLIENT versions? Is there a baseline that says something like “Silver Assurance requires member institutes to be running a minimum of Windows Server 2008 R2, and clients must be XPsp3 or higher”? We did have some question about NTLMv1,
which gave me some corner – given its age and support lifespan. I am just worried that we have such a wide array of versions, and that may cause issues with pushing towards a higher encryption such as AES. Good topic for discussion. With regards to Q3 – you are seeking to use BitLocker Whole-Disk Encryption on the actual Domain Controller? Would this be used on remote DC’s that you
are worried about getting stolen somehow? For those instances,
using a Read-Only Domain Controller (RODC) on WS08 Core installation with BitLocker is a suitable scenario. For this situation, would the RODC hardware have a TPM chip or do they plan to use a BitLocker PIN upon startup? Otherwise leaving the BitLocker
USB Key installed sort of defeats the security angle. What happens if a power reset needs to happen, or a remote reboot? If the question stems from trying to insure that the AD-DS store of credentials are somehow encrypted twice (once by AD-DS, and again by BitLocker) – I don’t
believe that is a valid situation. BitLocker would prevent an offline theft of data assets (someone stole the server, ripped out the drives and tried to examine them), but once the DC is booted and running, then the credentials are not doubly-protected
by BitLocker. Another good topic for discussion. As for Q4 – credentials are cached from AD onto a local client device – when that user logs into that client device and AD confirms the credentials. That’s
what allows a user to login subsequently, using the AD credentials, even when there is no network connection back to AD. (This is often why, after changing your password in AD, it is best to LOCK and the UNLOCK your Windows machine – that keys the credential
cache to happen.) As far as other SERVICES that might have credentials cached – the Windows Azure Active Directory structure supports (excuse the very basic analogy) a “cloud version” of your Active Directory data (the storage mechanism, tree structure and
access controls are different – but the idea is similar). This is like the methodology for syncing credentials for Office365 users. So, YES< there are Services that can be used to store credentials.
If the question is more along the lines of – “is Microsoft somehow remembering or storing credential data on other services, like maybe DreamSpark, etc.”
– then that actually triggers our PII scenario (personally identifiable information). Details about Microsoft privacy can be obtained at
http://privacy.microsoft.com/en-us/default.mspx. Also a great topic for clarification and discussion. I look forward to joining the call on Friday, along with my colleagues. -Phil From: Ann West []
Sounds good Phil. I sent your responses to the AD Assurance group to get the discussion started and have cc'd them on this note as well. (For those of you who are interested
in dropping off the thread as we dive down the rabbit hole here, please let me know.) First, many thanks for your thoughtful responses to our questions. They are a great start for our conversation on Friday. Below our replies to several of your
questions: Q1a. The group would like to engage you on methodologies we should use in lieu of RC4 to be compliant with the Assurance requirements for existing deployments. Q3. We are referring to "Bitlocking" the Domain Controller with AD DS to meet the assurance requirement to only unencrypted passwords when needed. Q4. The group is more interested in whether credentials in AD DS are replicated/stored by other Microsoft identity management components rather than how they
are stored. Having them stored elsewhere is what puts those specific components in scope for the institution's assurance assessment. Looking forward to our conversation tomorrow. Best, Ann From: Phil West <> OK, so let’s split this effort. This Friday’s call will be with our core team and your AD Assurance Group – and we’ll plan to schedule a future session with David Turner – which should include
John/Nate/Khalil/etc. We’ll “see” you at noon on Friday! Thanks! -Phil From: Ann West []
Phil, Thanks for your flexibility! I'll forward your responses and questions on to the AD Assurance list and loop folks in. We can further this specific discussion there. Regarding the time, we have an hour, although if you would like more time, we can arrange that. The issue is getting the right folks on the call for the right
topics. I doubt John, Ken, Nate and Khalil were planning to join the AD Assurance discussion since it will be pretty technical and detailed. I'm sure they would be interested in the broader InC/MS and Identity discussion though. So maybe we table the David
Turner discussion this Friday and work on setting up a call for that in parallel? The AD Assurance call information is: Fridays at Noon ET Best, Ann ------------ Ann West Assistant Director, InCommon Assurance and Community Internet2 based at Michigan Tech office: +1.906.487.1726 From: Phil West <> OK, this is great feedback. How much time do we have on this call? If we are shooting for an hour, maybe we can table the David Turner discussion until another session – to be scheduled later? (If we have an extra 30 minutes,
then we definitely want to take advantage of David Turner’s availability.) For the Question List, I think our team has some questions on INTENT and RATIONALE that might help us to understand the predicament facing your customer groups.
Maybe we use the time to discuss the answers that I do have, plus gaining more knowledge on the other points that are still outstanding? Regarding your AD-DS question list, here’s the current list (from
https://spaces.internet2.edu/display/InCAssurance/Questions+for+Microsoft) – with commentary and intended discussion points:
Many of these topics cover different pieces of Microsoft technology – so there are a large number of teams that provide pieces of the answers. This list represents the current status, and I hope to have additional details by Friday. So – let us know about the call length and call-in details. Thanks! -Phil
From: Ann West []
Hi Phil, My apologies, but I thought the call on Friday was specifically about working through the issues around AD-DS being certified for the InCommon Assurance Program
(and Federal ICAM Program) and addressing the questions I sent earlier. Exploring broader priority list for identity and InCommon needs to be discussed for sure, but we would need to get together a different group to do that. Currently, I have the AD Assurance
Community working group scheduled to meet with us. So thinking about your agenda further, do you see Friday's schedule breaking down to, say, discussing AD-DS certification first, seeing how far we get, and
then using the remaining time on the bigger identity issues? The AD-DS issue is time critical for us: a number of schools have stopped working on Assurance certification until we can provide guidance on how AD-DS can be made to comply. I think the bigger picture
can wait for our next call together. Thoughts? Thanks, Ann ------- Ann West Assistant Director, InCommon Assurance and Community Internet2 based at Michigan Tech office: +1.906.487.1726 From: Phil West <> Ann and Crew… I wanted to confirm that our team will be joining the call on this Friday (7/26) at Noon Eastern time (9am Pacific). I have invited David Turner, who is a Standards PM on the Azure AD Team to join us. For this initial call with your team, I would like to maximize David’s time by allowing him to explain our current direction on SAML interop testing and support. In
addition, with your team and other Internet2 members on the line – it would be great for David to garner feedback and discussion about your priority list for any extensions needed for the InCommon identity platform. David is familiar with the
www.incommonfederation.org website, but he is really looking for your input and guidance relative to a prioritization and rationale for items that might lie outside of the SAML standard. Is it possible to get some “pre-work” data from you regarding the priority list and rationale for the InCommon unique requirements? Also, would it be possible to know
who will be attending the call from the Internet2 side? With regards to the list of questions from the AD and O365 fronts, I am working those in parallel, so I will be able to address some of those (we can discuss some and
I can forward details via email on others). I am getting help from the Windows Active Directory team, as well as Windows Security. I did want to take advantage of the “LIVE” time with David to really dig into the strategic SAML topic and understand the history and roadmap from the InCommon perspective. Also – please send us the call logistics (phone numbers, codes, etc.) for the call. THANKS!! -Phil phil west
: :
director of solutions development
: :
office of civic innovation
: : u.s. public sector
: : microsoft
: : 425.538.1179
This communication may contain privileged and confidential information. Use, disclosure, or retention of this information is prohibited if you
are not the intended recipient. If you have received this message in error, please delete the message from your system. Thank you. |
- [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Ann West, 07/23/2013
- Re: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, David Walker, 07/23/2013
- RE: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Capehart,Jeffrey D, 07/23/2013
- RE: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Brian Arkills, 07/24/2013
- Re: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Ann West, 07/24/2013
- RE: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Rank, Mark, 07/24/2013
- RE: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Capehart,Jeffrey D, 07/24/2013
- Re: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Eric Goodman, 07/25/2013
- RE: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Capehart,Jeffrey D, 07/24/2013
- RE: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Brian Arkills, 07/24/2013
- RE: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Capehart,Jeffrey D, 07/23/2013
- <Possible follow-up(s)>
- [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, Ann West, 07/26/2013
- Re: [AD-Assurance] FW: Internet2 A/D Call on Fri July 26th, David Walker, 07/23/2013
Archive powered by MHonArc 2.6.16.