Skip to Content.
Sympa Menu

ad-assurance - Re: [AD-Assurance] a couple relevant blog posts were released monday

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

Re: [AD-Assurance] a couple relevant blog posts were released monday


Chronological Thread 
  • From: David Walker <>
  • To:
  • Subject: Re: [AD-Assurance] a couple relevant blog posts were released monday
  • Date: Thu, 10 Apr 2014 17:47:28 -0600

Very interesting, Brian, particularly about not recommending FIPS mode.  My reading is that they're saying that FIPS compliance for a complete (Windows) system is very hard, and they don't want to imply that they have (or even can) do all that hard work.  And, besides, you probably aren't required to comply with FIPS, anyway.

As you said, nothing we didn't already know.  I do wonder about future posturing in the compliance area, though, as they seem to be saying not to worry about compliance unless you have to; just trust their code.  Everybody does that, of course, but usually not so publicly.

David


On 04/09/2014 09:59 AM, Brian Arkills wrote:

http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

http://blogs.technet.com/b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx

 

There’s not anything fundamentally game-changing here, but they are worth checking out, particularly the ‘recommended security baseline settings.docx’ which describes the new security settings that are available. The ‘pass the hash’ settings are of particular interest here, I think. Also possibly the recommended settings to block web browsers on DCs.

 

-B





Archive powered by MHonArc 2.6.16.

Top of Page