Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call


Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call
  • Date: Sat, 28 Sep 2013 00:44:27 +0000
  • Accept-language: en-US

Thanks, Jeff. The LDAP client signing one was still in there. The LAN Man one looks like it was lost. I re-added it.

 

Also added in the AES configuration link.

 

--- Eric

 

From: [mailto:] On Behalf Of Capehart,Jeffrey D
Sent: Friday, September 27, 2013 10:42 AM
To:
Subject: RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call

 

Some info for Eric:

 

4.3.2. Section 4.2.3.6.3 requirements

 

We recommend disabling all domain support of the LM and NTLMv1 protocols -- or at least disable them for InCommon Silver accounts (clarify; is this possible by user-specific policies?), as the security of these protocols has been shown to be weak enough for use to constitute being an unacceptable risk in most usage scenarios. instructions?

 

I think you can create group policies and apply them to the user’s machine.  But, it may be easier to apply it to everyone in the domain.  Also it may be best to apply policies to both the server and the client workstations.

 

Network security: LDAP client signing requirements

http://technet.microsoft.com/en-us/library/jj852173(v=ws.10).aspx

 

Network security: LAN Manager authentication level

http://technet.microsoft.com/en-us/library/cc738867(v=WS.10).aspx

 

Instructions were in original cookbook.

 

 

4.2.1 Section 4.2.3.6.1 requirements

 

For Windows Server 2008 and later, AES is used for Kerberos encryption if properly configured. (We need to add how to make this configuration)

 

Network security: Configure encryption types allowed for Kerberos

http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx

 

The encryption type options include:

• DES_CBC_CRC

• DES_CBC_MD5

• RC4_HMAC_MD5

• AES128_HMAC_SHA1

• AES256_HMAC_SHA1

• Future encryption types

 

As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented.

 

From: [] On Behalf Of David Walker
Sent: Friday, September 27, 2013 1:26 PM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call

 

Everyone,

Quick notes from today's call are on the wiki:  https://spaces.internet2.edu/x/zwaRAg .

Ann, I hope you're OK with not being able to forward until Monday afternoon your time.  Scream if you need this sooner.

David




Archive powered by MHonArc 2.6.16.

Top of Page