Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call

Chronological Thread 
  • From: Ron Thielen <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call
  • Date: Fri, 4 Oct 2013 23:07:21 +0000
  • Accept-language: en-US

I always thought of the requirement to encrypt the password store as belt and suspenders and someone’s attempt to mitigate multiple risks in fell swoop.  I’m not sure it adds a lot of value in an enterprise data center environment where, for example, we already maintain FISMA compliance.


If the intent is to protect the password store against a hack of the server using it, then you may well have bigger issues.  As Jeff suggests, if your domain controllers are that thoroughly p’wned then disk encryption may not help.


Likewise, if your physical security is so lax that someone can walk in, physically breach a domain controller, remove a hard drive, and walk out with it un-challenged, you’ve possibly got bigger issues.  Additionally, all but two of our AD DCs are virtualized, so our stores are on LUNs striped across multiple virtual arrays and intermingled at a block level with data from 100s of other servers.  If a drive were stolen, the thief would have the same problem I would have responding to an eDiscovery request to preserve a physical drive.  I don’t know how to do it.  You’d pretty much need to walk out with the whole subsystem, not a drive.  I realize that this is security through obscurity, but it’s still a fact.


If the issue is you don’t want the drives to wind up on eBay after the machine is serviced, that can be addressed by a media destruction policy and appropriate contracts with your vendors.  Our media destruction policy requires all data center disks to be checked into a disposal area when removed from service, then checked out when sent degaussing by our own techs.  I audit the policy annually, and we do follow through “clear to its destruction.”


It may have some value if your password store is replicated some place outside your control.  Then again, you probably have other issues to address in that instance too.


That all said, it’s still a requirement and I’m still trying to find a way to address it.




From: [mailto:] On Behalf Of David Walker
Sent: Friday, October 04, 2013 5:02 PM
Subject: Re: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call


On Fri, 2013-10-04 at 21:19 +0000, Capehart,Jeffrey D wrote:

It seems many of us originally thought the encryption was supposed to protect the password store in case the server got hacked.  Do we need to explicitly state that is not the intent of this requirement?

Yes, I think so.  I would put it in our interpretation.

The physical security and other controls (patching, limiting access, etc.), are already required as good practice.  And yes, while it would be ideal that a hacker can’t steal your password database because it is encrypted, the system has to be able to read it somehow.  And if the system can read it, then a hacker who can compromise the system can probably figure out how to do that too.  So, from a technology standpoint, it is probably impossible to encrypt the data so that a compromised machine won’t expose the passwords.  Having terrific physical security would tend to make an IT person think that Bitlocker is unnecessary and thus hard to convince to add it “just in case the server is lost/stolen”.

Exactly.  I suppose, in theory, that good enough physical security would be a compensation for weak storage encryption, but I'd need to see that argument put into practice before I'd agree to it.  It would be necessary, for example, for that physical security to follow the disk clear to its destruction, not just while it was in use.

That said, it does still seem like we are only requiring Bitlocker to meet the “Approved Algorithm” portion.   In essence, encrypting the whole disk just to make sure the passwords are encrypted with an approved algorithm.  If Microsoft thinks syskey provides the same level of protection (or better) than Bitlocker, maybe they could write up the alternative means statement.  Somehow, though, I don’t think we will be reassured just because the algorithm is not published and therefore is “secure”.

Yeah, I don't think they could make that case successfully.  If they offer, we can let them propose something, but I wouldn't solicit it from them.

-Jeff C.


From: [] On Behalf Of David Walker
Sent: Friday, October 04, 2013 5:06 PM
Subject: Re: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call


Good point.  I was just quoting Joe, but quiescence is really a non-issue.


On Fri, 2013-10-04 at 20:59 +0000, Michael W. Brogan wrote:

In the notes related to section 4.1.2 I think the threat being addressed is “theft of disks.” The disk encryption control we recommend is effective against theft of disks no matter if the system is quiescent or active. From what we’ve learned there are never decrypted copies of passwords on the disk.




From: [] On Behalf Of David Walker
Sent: Friday, October 04, 2013 10:35 AM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call



Quick notes from today's call at .  Please correct my mistakes.




Archive powered by MHonArc 2.6.16.

Top of Page