Subject: Meeting the InCommon Assurance profile criteria using Active Directory
RE: [AD-Assurance] Unencrypted LDAP to Active Directory
- From: Brian Arkills <>
- To: "" <>
- Subject: RE: [AD-Assurance] Unencrypted LDAP to Active Directory
- Date: Mon, 23 Mar 2015 21:40:18 +0000
- Accept-language: en-US
- Authentication-results: incommon.org; dkim=none (message not signed) header.d=none;
I’m actively working in this space too, Brett, so when I saw your email, it struck a nerve. J
Having learned a few things from my NTLMv1 mitigation efforts, I planned from the start to put together a toolkit that others could re-use for simple bind mitigation. And if anyone wants early versions of some of the components, I can probably entertain that. I’ve got a PS script (along with the documented perms to automated it) that’ll grab the right events and ship them to a SQL table. I’ve got a simple asp.net web app that can show all the simple binds from the last 30 days for any user that has had a simple bind in the last 30 days. I’ve got a PS script to run on a monthly basis to email users who have had a simple bind in the last 30 days. I also have a PS script that ships daily simple bind metrics to a Graphite server, if you use Graphite.
I’m currently working on a change to my planned toolkit that’ll make it easier to identify the sources of simple binds and target them. That’s one of those ‘gee, I didn’t quite think that through’ things, where we realized that the cause of most of these are poorly configured applications that the end users have no awareness of. Today, I just contacted the top 10 of those, and have 7 of them cleaned up already, and are in the process of notifying the owners of the exposed passwords to reset them. J
Anyhow, my plan has always been to have some running mitigation process around this, where we feed the data we’ve got into some broader process. We’re not to the point of having a broader process, or even close to applying for an assurance level.
I think you are on the right track, though, that those who do send their password in the clear need to lose their assurance level until they reset it.
- [AD-Assurance] Unencrypted LDAP to Active Directory, Brett Bieber, 03/23/2015
- RE: [AD-Assurance] Unencrypted LDAP to Active Directory, Brian Arkills, 03/23/2015
- Message not available
- Re: [AD-Assurance] Unencrypted LDAP to Active Directory, Brett Bieber, 03/23/2015
Archive powered by MHonArc 2.6.16.