Meeting the InCommon Assurance profile criteria using Active Directory

[Ron Thielen <>]

I always thought of the requirement to encrypt the password store as belt and suspenders and someone’s attempt to mitigate multiple risks in fell swoop.  I’m not sure it adds a lot of value in an enterprise data center environment where, for example, we already maintain FISMA compliance.

 

If the intent is to protect the password store against a hack of the server using it, then you may well have bigger issues.  As Jeff suggests, if your domain controllers are that thoroughly p’wned then disk encryption may not help.

 

Likewise, if your physical security is so lax that someone can walk in, physically breach a domain controller, remove a hard drive, and walk out with it un-challenged, you’ve possibly got bigger issues.  Additionally, all but two of our AD DCs are virtualized, so our stores are on LUNs striped across multiple virtual arrays and intermingled at a block level with data from 100s of other servers.  If a drive were stolen, the thief would have the same problem I would have responding to an eDiscovery request to preserve a physical drive.  I don’t know how to do it.  You’d pretty much need to walk out with the whole subsystem, not a drive.  I realize that this is security through obscurity, but it’s still a fact.

 

If the issue is you don’t want the drives to wind up on eBay after the machine is serviced, that can be addressed by a media destruction policy and appropriate contracts with your vendors.  Our media destruction policy requires all data center disks to be checked into a disposal area when removed from service, then checked out when sent degaussing by our own techs.  I audit the policy annually, and we do follow through “clear to its destruction.”

 

It may have some value if your password store is replicated some place outside your control.  Then again, you probably have other issues to address in that instance too.

 

That all said, it’s still a requirement and I’m still trying to find a way to address it.

 

Ron

 

From: [mailto:] On Behalf Of David Walker
Sent: Friday, October 04, 2013 5:02 PM
To:
Subject: Re: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call

 

On Fri, 2013-10-04 at 21:19 +0000, Capehart,Jeffrey D wrote:

It seems many of us originally thought the encryption was supposed to protect the password store in case the server got hacked.  Do we need to explicitly state that is not the intent of this requirement?

Yes, I think so.  I would put it in our interpretation.

The physical security and other controls (patching, limiting access, etc.), are already required as good practice.  And yes, while it would be ideal that a hacker can’t steal your password database because it is encrypted, the system has to be able to read it somehow.  And if the system can read it, then a hacker who can compromise the system can probably figure out how to do that too.  So, from a technology standpoint, it is probably impossible to encrypt the data so that a compromised machine won’t expose the passwords.  Having terrific physical security would tend to make an IT person think that Bitlocker is unnecessary and thus hard to convince to add it “just in case the server is lost/stolen”.

Exactly.  I suppose, in theory, that good enough physical security would be a compensation for weak storage encryption, but I'd need to see that argument put into practice before I'd agree to it.  It would be necessary, for example, for that physical security to follow the disk clear to its destruction, not just while it was in use.

That said, it does still seem like we are only requiring Bitlocker to meet the “Approved Algorithm” portion.   In essence, encrypting the whole disk just to make sure the passwords are encrypted with an approved algorithm.  If Microsoft thinks syskey provides the same level of protection (or better) than Bitlocker, maybe they could write up the alternative means statement.  Somehow, though, I don’t think we will be reassured just because the algorithm is not published and therefore is “secure”.

Yeah, I don't think they could make that case successfully.  If they offer, we can let them propose something, but I wouldn't solicit it from them.

-Jeff C.

 

From: [] On Behalf Of David Walker
Sent: Friday, October 04, 2013 5:06 PM
To:
Subject: Re: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call

 

Good point.  I was just quoting Joe, but quiescence is really a non-issue.

David

On Fri, 2013-10-04 at 20:59 +0000, Michael W. Brogan wrote:

In the notes related to section 4.1.2 I think the threat being addressed is “theft of disks.” The disk encryption control we recommend is effective against theft of disks no matter if the system is quiescent or active. From what we’ve learned there are never decrypted copies of passwords on the disk.

 

--Michael

 

From: [] On Behalf Of David Walker
Sent: Friday, October 04, 2013 10:35 AM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call



 

Everyone,

Quick notes from today's call at https://spaces.internet2.edu/x/wYGZAg .  Please correct my mistakes.

David