Assurance

["Roy, Nicholas S" <>]

As far as the “strong nudge” toward Server 2008 forest functional level, I think our Microsoft partner was concerned with security patching and regression testing, primarily, and that’s the same concern that Cynthia notes below.  Right now, the scope section of the document notes that we are only covering certain recent versions of the server OS and forest functional level, but that these same concepts might apply to other functional levels or OSes.  Is that good enough or would people really like to see all reference to forest functional level removed?  I’m not dogmatic either way, but I do see where Microsoft is coming from.  An example from a related context might be that Shibboleth is no longer supported on CentOS/RedHat Enterprise Linux 4.

 

“
Scope

This document is intended to aid in configuring Active Directory to meet the requirements of the InCommon Federation's Identity Assurance Profile (IAP) for Silver level of assurance. Software changes can impact the necessary configurations, so for brevity we have limited the scope of recommendations to Active Directory on Windows Server 2008 R2 running in Windows Server 2008 Forest Functional mode. It is likely that similar protections and controls can be used with other versions of the software. This cookbook only addresses the most recent versions of the Windows Server operating system and its Active Directory Domain Services component.

“

 

As far as the links and mailing lists that Cynthia and Brian have suggested, do we want to put those in an “Appendix G” for relevant links and sources of information, or would they best fit somewhere else?

 

Nick

 

From: [mailto:] On Behalf Of Cynthia Haselton
Sent: Thursday, September 08, 2011 12:39 PM
To:
Subject: [Assurance] RE: AD DS Technical Documentation

 

I agree that that change in the underlying architecture of the server OS doesn’t happen often between versions, but Microsoft does introduce security related changes from time to time.    In fact, there was a change in the number of “cached credentials” stored between 2003 and 2008…something I just found out, thanks to the link Brian included in a different email.

 

Also, the blog Brian mentioned below published a post that is, in essence, an extensive list of AD DS information.  The post is here:

http://blogs.technet.com/b/askds/archive/2010/07/27/post-graduate-ad-studies.aspx

 

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Thursday, September 08, 2011 11:18 AM
To:
Subject: [Assurance] RE: AD DS Technical Documentation

 

The best resources I have found so far for AD DS technical information are the Microsoft TechNet Planning, Architecture and Deployment guides.  The Operations guides are useful as well.

 

The design guides for 2008 AD DS can be found here:

AD DS Design Guide

RODC Planning and Deployment

The Operations guide can be found here:

Administering AD DS

 

[BA] There are a number of other excellent sources of technical information on AD--but those are really good places to start. For more advanced topics, and in depth coverage, among many others, I'd recommend the AD product team's blog:

http://blogs.technet.com/b/askds/

[BA] Other excellent non-documentation resources include two mailing list communities: , focused on Microsoft technologies in the HiEd sector, and , the mailing list where AD DS MVPs and product team members lurk.

 

I understand that the cookbook will cover only 2008/2008 R2 AD DS, however I’ll include the following links for those who still run 2003 Active Directory Services:

[BA] I wasn't able to make yesterday's call, but on the prior call there was some disagreement about the stance in the AD cookbook because there are lots of folks not running WS2008 or better. A Microsoft participant added that language because they only include those products in their testing matrices (WS2003 is out of standard support from Microsoft), and at the time it was added, one of the problems only had a single solution which required a newer OS (there are now multiple solutions listed for that problem, so that isn't true any longer). As I recall, there wasn't any resolution on the disagreement, but there was strong sentiment that the cookbook should not limit itself to only WS2008 or its value might be perceived as limited. Personally, I think the OS-specific language is silly because the kinds of things we are concerned about haven't changed much across the Microsoft server OSes. So that language might change ... :)

 

Designing and Deploying Directory Services

The above link is to a page that also contains links to guides for design and deployment of directory-related secure services, including PKI services.

Deploying Network Services

The above link is to a page that contains links to design and deployment guides for IPsec, IAS (Microsoft’s version of RADIUS) and wireless.  The guides contain information on securing the aforementioned services.

 

 

Cynthia Haselton

University of Chicago

ITS/DCS

e: 

w:  773.702.2963

p:  773.652.0065