AD Assurance: Notes from 3/1
Next Call: March 8 at Noon ET
- Ann to contact Brian re: MS rep
- Brian to send out background resources
- David to send out information on FIPS and NIST-approved algorithms
- Brian to send out AD components and thoughts about how they map to what's in scope for the profiles.
*Charge: *Determine if there are alternative ways to deploy AD to ensure compliance with InCommon Bronze and Silver. If there are, develop an Alternate Means Proposal for the set of practices identified (which may be some form of the Cookbook) and submit to InCommon for review. If the risks addressed by the profiles cannot be mitigated adequately using AD, develop community and specification recommendations for next steps.
Timeframe: Progress Report Due April 21 in time for discussion in DC with FICAM. May require weekly calls for now until we have our next steps defined, then move to bi-weekly calls.
Membership: Ann to contact Brian about inviting Dean Wells from Microsoft to join us on a few calls.
Resources: email@example.com email list; Assurance Wiki; Other TBD.
Topic Parking Lot:
- Investigate turning on FIPS mode in Windows Server implementations. The previous Cookbook WG did look at this, but worth reviewing again. Ron mentioned that turning this on doesn't affect how Windows manages the password store.
- Multiple AM proposals? Might make more than one AM proposal, depending on the AD technologies addressed. First priority is AD Directory Service.
- Which AD products are in scope? AI – Brian will send out a short summary of the products and first stab at how they map against the IAAF scope.
- What uses case are in scope?
Food for thought for next call
- Are we scoping to Silver or Bronze or both requirements?
- Is the implementation scoped to entire campus pop or a subset?
- What is our tolerance for including a third-party solution as a mitigating control for an area in which AD is deficient?