The objective of this article is to collect individual comments on the AD Silver Cookbook during the public comment period.
Comments are presented raw with no editing unless needed to "protect the innocent"...
- Make it less scary - start out the introduction with a statement that everything doesn't have to be done at once, and with an estimate of the number of FTE involved over some amount of time to get the changes done.
- Remove "draft" and put a note in at the beginning that says that although no one has been certified using this approach yet, it is a best effort to determine what would need to be done to configure the AD portion of an environment to pass the audit. Once an institution has passed the audit and been certified using this approach, change that wording.
- Note that this is a starting point, but any institutions wishing to assert Silver should undertake to thoroughly understand the IAP and IAAF documents in relation to their own systems, with a broad understanding of the implications for those systems. The cookbook should not be taken as a manual for achieving Silver.
- I think the cookbook is laid out very well with strong consideration for the security risks in AD.
- One suggestion is that there is some mention of the need to change passwords after disabling LM Hashes. As you may already know, disabling LM Hashes in Group Policy only prevents future passwords from being stored this way. Existing passwords/user accounts will not have the LM Hash removed or overwritten until the next password reset. Without being aware of this, new institutions joining the validation program may have a period of 90 days or more (depending on password expiration policy) with remnant LM hashes on their Domain Controllers.
- Add a change log to the end with dates for each version.
- The AD Problem Statement in section 220.127.116.11 Resist Replay Attack states that “Kerberos, NTLMv2 and secure LDAP binds or LDAP binds using SSPI/Kerberos do provide resistance to replay attack.” However the mitigation section gives instruction on how to mitigate NTLMv2. Why would NTLMv2 need to be mitigated if it already provides resistance to that attack? Is that supposed to be NTLMv1?
- Similarly, the AD Problem Statement in section 18.104.22.168 Resist Eavesdropper Attack states “Kerberos, NTLMv2 and secure LDAP binds or LDAP binds using SSPI/Kerberos do provide resistance to eavesdropping or brute force attack.” If we mitigate LM and NTLM1 authentication is that sufficient or do we still need to proceed with one of the two strategies under “All eavesdropper mitigation?”
- Add a scoping statement that says that this is a theoretical approach and must be carefully applied to the AD environment at your institution, taking into consideration all aspects of the IAPs and IAAF, with regard to the specifics of your environment: A big picture of “this is silver for our campus-wide AD” versus “this is silver for this research specific domain”. I think you are going for the former but it’s good to know where you are coming from in this cookbook.
- In 22.214.171.124, the discussion of variable salting (and mitigation for the lack of it) relies on the assertion that a well-known salt does not add to the entropy much, because it is predictable. But adding entropy to the individual hash is not the reason for a variable salt. With a static salt, an attacker in possession of the password database and the salt can attack the entire database simultaneously. With a variable salt, the attacker must try to crack each password individually.