Subject: Meeting the InCommon Assurance profile criteria using Active Directory
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] Updates to AD Cookbook 2013
- Date: Thu, 5 Sep 2013 14:19:43 +0000
- Accept-language: en-US
Thank you for reworking the cookbook. Nice job!
I have copied into this email some of my observations as well as many of your “questions/concerns in Boldface Italics so that maybe we can identify them for future discussion.”
If this seems long, it reflects all the work you did. Hopefully everyone can scan through these and see if anything jumps out.
1. DCß term is used in 3.2 but not defined until section 4.1.1
2. [see] http://support.microsoft.com/kb/832017 for details of the impacts requiring LDAPS has on Windows clients ß KB article doesn’t talk about LDAPS??
3. “impractical” ß Should we have a single definition in the footnotes and refer to it?
4. Should we standardize on “Relevant IAP Section:” to disambiguate the Cookbook numbering from the IAP sections and help minimize the algebra homework look?
[INCLUDED COMMENTS/NOTES FROM COOKBOOK REVISIONS]
LDAP data signing encrypt the data portion of each LDAP packet, including authentication traffic, but if the domain is configured to limit authentication traffic to require signing, it can impact the operation of older or non-Windows clients in an AD DS environment. (?ALSO HOW IS THE DATA ENCRYPTED?IF RC4 OR MD5 it's still not a protected channel?)
 If the IDP login page supports SPNEGO authentication, then authentication secrets used to authenticate a user to a domain WOULD be in scope of this requirement.
AES is used for Kerberos encryption if properly configured. We need to add how to do this configuration
We may need an alternate means statement here to allow SSL/TLS using RC4.
We recommend you disable all domain support of the LM and NTLMv1 protocols instructions?
[4.4. Secure Authentication Traffic Considerations Specific to 18.104.22.168 Resist Replay Attack and Kerberos] Is this still relevant? The replay attack will get you into the DC, but not into the IdP (unless SPNEGO is supported).
[22.214.171.124 Basic Protection of Authentication Secrets (no specific configuration required)]
This is a BRONZE requirement... should it be listed here? If so then we can add it to the list of sections reviewed, above. Otherwise we should remove it.
Kerberos V uses a replay cache to protect against replay attack. When combined with an appropriate account lockout policy, (The start of this sentence is a config statement, not a management assertion. It should be moved up to the config section and "appropriate account lockout policy" should be defined)
I also note that the management assertion language actually has no dependency on the "Time Skew" setting we recommend in the "Config" section; either we need an assertion statement that explains why we are using it, or we state that we are relying on the replay cache and account lockout policy and call it a day)
LDAP data signing, which encrypts the password data need to validate algorithm to see if this is good enough.
So I took a stab at reorganizing the AD Cookbook according to the discussion (at least as I remember it) from last week’s call.
WARNING: Because of the incorporation of the AAC interpretation language, the decision to add separate interpretation language for several sections and the reorganization we discussed (putting Interpretations and Management Assertions in their own sections), the edits ended up being rather more substantial than I expected:
· In many places I changed the interpretation, configuration or management assertion language where it appeared appropriate based on the AAC clarification. This meant I had to make some judgment calls on which items were covered by 126.96.36.199.2 (which we reduced the scope of, per the clarification) and 4.2.5 (which now only requires “impractical to attack” rather than “Protected Channels”).
· Most of the language I used for the Interpretation section came from the AAC clarification email or from the previous analysis we did (the matrix at https://spaces.internet2.edu/x/BA8wAg).
· In making the different sections in the reorg more distinct, I found places where the language was somewhat messy, specifically Sample Management Assertions that actually contained “Interpretation” or “Configuration” text and the like. I tried to “normalize” the sections, but that meant adding or rearranging the text a bit more than I had intended. I don’t believe I added language we haven’t previously discussed, but you might want to double check me.
· In some cases I felt that spelling out the interpretations or management assertions uncovered some new questions or clarifications. In those cases I noted the questions/concerns in Boldface Italics so that maybe we can identify them for future discussion.
· I edited until I ran out of steam (and appeared to have made a complete pass). I have NOT proofread the update, so there’s a good chance that typos and sentence fragments abound. Feel free to point them out and/;or fix them.
· I recognize that the combination of the auto-section numbering and the liberal use of IAP section numbers in headers ended up making the headers and TOC reminiscent of a second year algebra homework set. I may try to clean up later.
· I’d love a better WYSIWYG editor for confluence…
· Thankfully confluence versioning means we won’t have lost the original/previous version of edits.
I wrote up a few notes from today's call. They can be found in the wiki at :
- [AD-Assurance] Updates to AD Cookbook 2013, Capehart,Jeffrey D, 09/05/2013
Archive powered by MHonArc 2.6.16.