Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Configuration recommendations

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Configuration recommendations

Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] Configuration recommendations
  • Date: Tue, 1 Oct 2013 17:30:41 +0000
  • Accept-language: en-US

Do we want to say something about the assumptions and interpretations that were made and are documented within the cookbook? 


Also, how about encouraging the community to start reviewing the cookbook with an eye towards gauging how their institution would be able to meet/comply with the configuration recommendations?  So far the cookbook is untested, but it needs a thorough examination from implementers with a fresh perspective and perhaps some with more technical knowledge to point out problems, improvements, or alternate ideas.  I don’t know how many others (who aren’t on our Friday calls) will be on the Wednesday call, but if we could get some volunteers to verbally commit to conducting a review, that might be a good augment to whatever response is generated by emailing for commenters.


By the way, where will the comments and feedback go?  What will be the official channel or mechanism to collect them?  Will we be seeing them as they come in or collectively in 30 days?


-Jeff C.


From: [mailto:] On Behalf Of David Walker
Sent: Tuesday, October 01, 2013 1:13 PM
Cc: Ann West
Subject: Re: [AD-Assurance] Configuration recommendations


I'm good with Eric presenting.  Would it make sense for Ann or me to give a brief "big picture" introduction, then let Eric go into the Cookbook?  We probably don't want to go too deep into details, just comment briefly on the IAP sections we addressed and a quick summary of the mitigation strategies, then let people ask questions about details.

For the big picture, I'd suggest making the following points:

  • Background: The first cookbook and the change from "industry standard" algorithms to "approved."
  • Scope: AD with passwords for authentication, didn't look at MFA as an alternative.
  • Disclaimer: We looked at compliance with the IAP; this wasn't a comprehensive security review of AD.  (There are security issues with AD that we do not address.)

Anything else we'd want to introduce the topic?


On Tue, 2013-10-01 at 15:25 +0000, Eric Goodman wrote:

I'more worried about others reviewing it. I'm happy with David's edits, but would love to hear that people have given it a technical once over. (I.e., configuration recommendations sections). But assuming silence = "looks good", I'm okay. 


Also, I offered but didn't see a response; should I be planning to present on the assurance call or is someone else doing that?


--- Eric

Sent from my iPhone

On Sep 30, 2013, at 8:11 PM, "David Walker" <> wrote:

OK with me. Eric?


Ann West <> wrote:

Hi All,


Just checking if I should make the cookbook and child pages public and open the call for review?





From: David Walker <>
Reply-To: "" <>
Date: Sunday, September 29, 2013 8:40 PM
To: "" <>
Subject: Re: [AD-Assurance] Configuration recommendations



It looked like you were probably finished with the current round of editing, so I made a few more, mostly to make some of the text flow a little better.  I also removed references to compensating controls.  Finally, I created a "monitor and mitigate" page to the wiki, by modifying our earlier alternative means proposal, and linked it into the Cookbook.


On Sat, 2013-09-28 at 06:07 +0000, Eric Goodman wrote:

I think with Jeff's notes, we have instructions to go with most configuration recommendations.

I said I would make a list of the gaps, but I think instead I would like to ask people just to look through the "configuration recommendations" section and double check any statements made about how to configure things to make sure they seem sensical, and if you note any specific instructions that appear to be missing.


--- Eric



Archive powered by MHonArc 2.6.16.

Top of Page