Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

I'm good with Eric presenting.  Would it make sense for Ann or me to give a brief "big picture" introduction, then let Eric go into the Cookbook?  We probably don't want to go too deep into details, just comment briefly on the IAP sections we addressed and a quick summary of the mitigation strategies, then let people ask questions about details.

For the big picture, I'd suggest making the following points:

• Background: The first cookbook and the change from "industry standard" algorithms to "approved."
• Scope: AD with passwords for authentication, didn't look at MFA as an alternative.
• Disclaimer: We looked at compliance with the IAP; this wasn't a comprehensive security review of AD.  (There are security issues with AD that we do not address.)

Anything else we'd want to introduce the topic?

David

On Tue, 2013-10-01 at 15:25 +0000, Eric Goodman wrote:
>     I'more worried about others reviewing it. I'm happy with David's edits, but would love to hear that people have given it a technical once over. (I.e., configuration recommendations sections). But assuming silence = "looks good", I'm okay. 
>     
>     
>     Also, I offered but didn't see a response; should I be planning to present on the assurance call or is someone else doing that?
>     
>     
>     --- Eric
>     
>     Sent from my iPhone
>     
>     On Sep 30, 2013, at 8:11 PM, "David Walker" <> wrote:
>     
>     
> >         OK with me. Eric?
> >         
> >         David
> >         
> >     
> >         Ann West <> wrote: 
> >     
> > >             Hi All,
> > >         
> >     
> > >             
> > >             
> > >         
> >     
> > >             Just checking if I should make the cookbook and child pages public and open the call for review?
> > >         
> >     
> > >             
> > >             
> > >         
> >     
> > >             Ann
> > >         
> >     
> > >             
> > >             
> > >         
> >     
> > >             
> > >             
> > >         
> >     
> > >             From: David Walker <>
> > >             Reply-To: "" <>
> > >             Date: Sunday, September 29, 2013 8:40 PM
> > >             To: "" <>
> > >             Subject: Re: [AD-Assurance] Configuration recommendations
> > >             
> > >         
> >     
> > >             
> > >             
> > >         
> >     
> > >             Eric,
> > >             
> > >             It looked like you were probably finished with the current round of editing, so I made a few more, mostly to make some of the text flow a little better.  I also removed references to compensating controls.  Finally, I created a "monitor and mitigate" page to the wiki, by modifying our earlier alternative means proposal, and linked it into the Cookbook.
> > >             
> > >             David
> > >             
> > >             On Sat, 2013-09-28 at 06:07 +0000, Eric Goodman wrote: 
> > > >                 I think with Jeff's notes, we have instructions to go with most configuration recommendations.
> > > >                 
> > > >                 I said I would make a list of the gaps, but I think instead I would like to ask people just to look through the "configuration recommendations" section and double check any statements made about how to configure things to make sure they seem sensical, and if you note any specific instructions that appear to be missing.
> > > >                 
> > > >                 Thanks!
> > > >                 
> > > >                 --- Eric
> > > >                 
> > > >             
> > >             
> > >             
> > >         
> >