Assurance

["Roy, Nicholas S" <>]

Thanks John,

 

I’ve posted your feedback to the assurance-adsilver list and the wiki entry we’re using to collect feedback: https://spaces.internet2.edu/display/InCAssurance/AD+Silver+Cookbook+-+Public+Comments+on+Jan+2012+Draft.  We’re having a conference call for this effort on February 16th from 10-11 a.m. central time, if you’re interested in attending.  We’ll be discussing the feedback we have collected.  I’ll post conference call details as we get closer to the call time.

 

Best,

 

Nick

------------

Nicholas Roy – Identity Architect

The University of Iowa | Information Technology Services | Directory and Authentication

 

From: [mailto:] On Behalf Of John Krabacher
Sent: Wednesday, February 08, 2012 10:59 AM
To: ''
Subject: [Assurance] AD Cookbook questions

 

From John Krabacher, U of Chicago:

 

Hello,

 

I’ve been reviewing the cookbook and I have some questions.  I’ll admit that I haven’t been keeping up with all of the discussions that have taken place over this mailing list so if any of these have been answered before I apologize.

 

The AD Problem Statement in section 4.2.5.1 Resist Replay Attack states that “Kerberos, NTLMv2 and secure LDAP binds or LDAP binds using SSPI/Kerberos do provide resistance to replay attack.”  However the mitigation section gives instruction on how to mitigate NTLMv2.  Why would NTLMv2 need to be mitigated if it already provides resistance to that attack?  Is that supposed to be NTLMv1? 

 

Similarly, the AD Problem Statement in section 4.2.5.2 Resist Eavesdropper Attack states “Kerberos, NTLMv2 and secure LDAP binds or LDAP binds using SSPI/Kerberos do provide resistance to eavesdropping or brute force attack.”  If we mitigate LM and NTLM1 authentication is that sufficient or do we still need to proceed with one of the two strategies under “All eavesdropper mitigation?”

 

AD Cookbook -https://spaces.internet2.edu/display/InCAssurance/InCommon+Silver+with+Active+Directory+Cookbook+-+Public+Review+Draft+1

 

Thanks,
John