AD-Assurance Notes from March 22
Mark Rank, UCSF
David Walker, InCommon/Internet2
Michael Brogan, UWash
Jeff Capehart, UFL
Ron Thielen, UChicago
Lee Amenya, UCSD
Jeff Whitworth, UNC-Greensboro
Eric Goodman, UCOP
Ann West, InCommon/Internet2
March 29 at Noon ET
Agenda: Ron's AM, updates to AIs and impacts on the matrix, next matrix criteria
Ann will work with Debbie Bucci (NIH) to set up calls with Federal Agencies that have certified IdPs.
Ron will upload Bit Locker information to the wiki.
Lee will check into recommendations for AD password store replication.
Mark to fill in 126.96.36.199.2 and 3.
Michael to update the existing rows to reflect today's discussion.
Eric to fill in 188.8.131.52, 184.108.40.206, 220.127.116.11.1 and review if there are other gaps besides protected channels.
Ron would like a peer review of his Alternative Means document on the wiki. We'll include this on the agenda of the next call, but folks are encouraged to comment in email.
18.104.22.168 Stored Authn Secrets (S)
Only need to address one of the 3 password storage alternatives
[AI] Ron will upload Bit Locker information to the wiki.
- Decrypts sectors are they are read which meets the requirement to only decrypted when immediately needed for authn.
- Uses AES256 optionally which is approved
Could also use FIPS 140--2 encrypted hard drives
22.214.171.124 Basic Protection of Authn Secrets
- There are tools to access the file but the admin can't just peruse the file. No gaps
- Enable signed LDAP connections. Disable LDAP if you can't support encrypted channel. This option poses a problem for MAC, SAMBA, and Linux clients, as mentioned in the Cookbook.
- Ron's AM - Network monitoring for signed LDAP binds.
126.96.36.199 Strong Protection of Authn Secrets
1b. Protected Channel
Focus on native issues for AD. Only identified use case was password store replication among AD servers.
- Lee uses IPSec [AI] Lee will check into recommendations for AD password store replication.
- Keep a note about provisioning for implementers and off-site data centers
Note about the Cookbook: Provide clear direction about practices that clear the bar and AM.
[AI] Mark to fill in 188.8.131.52.2 and 3.
[AI] Michael to update the existing rows to reflect today's discussion
[AI] Eric to fill in 184.108.40.206, 220.127.116.11, 18.104.22.168.1. If we can determine how to handle protected channels, these may fall out under that. Eric will review if there are other gaps besides protected channels.