AD-Assurance Notes from March 22

Mark Rank, UCSF
David Walker, InCommon/Internet2
Michael Brogan, UWash
Jeff Capehart, UFL
Ron Thielen, UChicago
Lee Amenya, UCSD
Jeff Whitworth, UNC-Greensboro
Eric Goodman, UCOP
Ann West, InCommon/Internet2
Next Call

March 29 at Noon ET
+1-734-615-7474 PREFERRED
+1-866-411-0013
0195240#
Agenda: Ron's AM, updates to AIs and impacts on the matrix, next matrix criteria

Action Items

Old
Ann will work with Debbie Bucci (NIH) to set up calls with Federal Agencies that have certified IdPs.

New
Ron will upload Bit Locker information to the wiki.
Lee will check into recommendations for AD password store replication.
Mark to fill in 4.2.3.6.2 and 3.
Michael to update the existing rows to reflect today's discussion.
Eric to fill in 4.2.5.1, 4.2.5.2, 4.2.8.2.1 and review if there are other gaps besides protected channels.

Notes

Ron would like a peer review of his Alternative Means document on the wiki.  We'll include this on the agenda of the next call, but folks are encouraged to comment in email. 

Matrix Discussion

4.2.3.4 Stored Authn Secrets (S)

Only need to address one of the 3 password storage alternatives

Alternative 2 

[AI] Ron will upload Bit Locker information to the wiki. 

  • Decrypts sectors are they are read  which meets the requirement to only decrypted when immediately needed for authn.
  • Uses AES256 optionally which is approved

Could also use FIPS 140--2 encrypted hard drives 

4.2.3.5 Basic Protection of Authn Secrets

  1. There are tools to access the file but the admin can't just peruse the file. No gaps
  2. Enable signed LDAP connections. Disable LDAP if you can't support encrypted channel. This option poses a problem for MAC, SAMBA, and Linux clients, as mentioned in the Cookbook. 
    1. Ron's AM - Network monitoring for signed LDAP binds. 

4.2.3.6 Strong Protection of Authn Secrets

1b. Protected Channel

Focus on native issues for AD. Only identified use case was password store replication among AD servers.

  • Lee uses IPSec [AI] Lee will check into recommendations for AD password store replication. 
  • Keep a note about provisioning for implementers and off-site data centers

Note about the Cookbook: Provide clear direction about practices that clear the bar and AM.

[AI] Mark to fill in 4.2.3.6.2 and 3.

[AI] Michael to update the existing rows to reflect today's discussion

[AI] Eric to fill in 4.2.5.1, 4.2.5.2, 4.2.8.2.1. If we can determine how to handle protected channels, these may fall out under that. Eric will review if there are other gaps besides protected channels.

  • No labels