ad-assurance - RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Eric Goodman <>
- To: "" <>
- Subject: RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call
- Date: Sat, 28 Sep 2013 00:44:27 +0000
- Accept-language: en-US
Thanks, Jeff. The LDAP client signing one was still in there. The LAN Man one looks like it was lost. I re-added it. Also added in the AES configuration link. --- Eric From: [mailto:]
On Behalf Of Capehart,Jeffrey D Some info for Eric: 4.3.2. Section 4.2.3.6.3 requirements We recommend disabling all domain support of the LM and NTLMv1 protocols -- or at least disable them for InCommon Silver accounts
(clarify; is this possible by user-specific policies?), as the security of these protocols has been shown to be weak enough for use to constitute being an unacceptable risk in most usage scenarios.
instructions? I think you can create group policies and apply them to the user’s machine. But, it may be easier to apply it to everyone in the domain. Also it may be best
to apply policies to both the server and the client workstations. Network security: LDAP client signing requirements http://technet.microsoft.com/en-us/library/jj852173(v=ws.10).aspx Network security: LAN Manager authentication level http://technet.microsoft.com/en-us/library/cc738867(v=WS.10).aspx Instructions were in original cookbook. 4.2.1 Section 4.2.3.6.1 requirements For Windows Server 2008 and later, AES is used for Kerberos encryption if properly configured.
(We need to add how to make this configuration) Network security: Configure encryption types allowed for Kerberos http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx The encryption type options include: • DES_CBC_CRC • DES_CBC_MD5 • RC4_HMAC_MD5 • AES128_HMAC_SHA1 • AES256_HMAC_SHA1 • Future encryption types As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented. From:
[]
On Behalf Of David Walker Everyone, |
- [AD-Assurance] Notes from the 9/27/2013 AD Assurance call, David Walker, 09/27/2013
- RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call, Capehart,Jeffrey D, 09/27/2013
- RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call, Eric Goodman, 09/27/2013
- Re: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call, Ann West, 09/27/2013
- RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call, Eric Goodman, 09/27/2013
- RE: [AD-Assurance] Notes from the 9/27/2013 AD Assurance call, Capehart,Jeffrey D, 09/27/2013
Archive powered by MHonArc 2.6.16.