Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Thanks, Ann.

Eric, I suspect the big picture won't require more than a couple of minutes, and I'd suggest leaving at least 7-8 minutes for discussion.

David

Ann West <> wrote:

+1. It would be great if you could say a few words about the big picture, David, and then pass the baton to Eric. Total presentation/discussion shouldn't exceed 20 minutes tho, so we have time for discussion. 

Best

A

From: David Walker <>
Date: Tuesday, October 1, 2013 1:12 PM
To: "" <>
Cc: Ann West <>
Subject: Re: [AD-Assurance] Configuration recommendations

I'm good with Eric presenting.  Would it make sense for Ann or me to give a brief "big picture" introduction, then let Eric go into the Cookbook?  We probably don't want to go too deep into details, just comment briefly on the IAP sections we addressed and a quick summary of the mitigation strategies, then let people ask questions about details.

For the big picture, I'd suggest making the following points:

• Background: The first cookbook and the change from "industry standard" algorithms to "approved."
• Scope: AD with passwords for authentication, didn't look at MFA as an alternative.
• Disclaimer: We looked at compliance with the IAP; this wasn't a comprehensive security review of AD.  (There are security issues with AD that we do not address.)

Anything else we'd want to introduce the topic?

David

On Tue, 2013-10-01 at 15:25 +0000, Eric Goodman wrote:

I'more worried about others reviewing it. I'm happy with David's edits, but would love to hear that people have given it a technical once over. (I.e., configuration recommendations sections). But assuming silence = "looks good", I'm okay. 

Also, I offered but didn't see a response; should I be planning to present on the assurance call or is someone else doing that?

--- Eric

Sent from my iPhone

On Sep 30, 2013, at 8:11 PM, "David Walker" <> wrote:

OK with me. Eric?

David

Ann West <> wrote:

Hi All,

Just checking if I should make the cookbook and child pages public and open the call for review?

Ann

From: David Walker <>
Reply-To: "" <>
Date: Sunday, September 29, 2013 8:40 PM
To: "" <>
Subject: Re: [AD-Assurance] Configuration recommendations

Eric,

It looked like you were probably finished with the current round of editing, so I made a few more, mostly to make some of the text flow a little better.  I also removed references to compensating controls.  Finally, I created a "monitor and mitigate" page to the wiki, by modifying our earlier alternative means proposal, and linked it into the Cookbook.

David

On Sat, 2013-09-28 at 06:07 +0000, Eric Goodman wrote:

I think with Jeff's notes, we have instructions to go with most configuration recommendations.

I said I would make a list of the gaps, but I think instead I would like to ask people just to look through the "configuration recommendations" section and double check any statements made about how to configure things to make sure they seem sensical, and if you note any specific instructions that appear to be missing.

Thanks!

--- Eric