Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Very interesting, Brian, particularly about not recommending FIPS mode.  My reading is that they're saying that FIPS compliance for a complete (Windows) system is very hard, and they don't want to imply that they have (or even can) do all that hard work.  And, besides, you probably aren't required to comply with FIPS, anyway.

As you said, nothing we didn't already know.  I do wonder about future posturing in the compliance area, though, as they seem to be saying not to worry about compliance unless you have to; just trust their code.  Everybody does that, of course, but usually not so publicly.

David

On 04/09/2014 09:59 AM, Brian Arkills wrote:

http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

http://blogs.technet.com/b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx

 

There’s not anything fundamentally game-changing here, but they are worth checking out, particularly the ‘recommended security baseline settings.docx’ which describes the new security settings that are available. The ‘pass the hash’ settings are of particular interest here, I think. Also possibly the recommended settings to block web browsers on DCs.

 

-B