...
- Protected Channels - IAP 4.2.3.6.1b - Gaps
- RC4 HMAC encryption is not NIST or FIPS approved, and we would like to determine if it's comparable to those methodologies that are. Can you help with this? (See http://www.incommon.org/assurance/alternativemeans.html for the criteria we will consider.)
- Currently, it is not very practical to crack RC4 HMAC, even though it has long-known vulnerabilities. If that were to change (e.g., a simple crack program posted on the Internet), does Microsoft have a response procedure for such compromises? How will this procedure protect Microsoft's customers that may be operating at LoA-2 via an alternate means exception?
- What encryption algorithms does Windows Secure Channel use?
- What's the impact of turning on the FIPS setting on all Domain Clients? What's the impact on Domain Controllers?
- What should one do to enable distinguishing between NTLM v1 and v2 in the logs? We would like to downgrade a user's assurance level if they access a service that employs NTLM v1.
- When BitLocker full disk encryption is used are disk sectors decrypted only as they are read? What is the recommended/supported BitLocker configuration for use with AD-DS?
- Does Syskey use NIST/FIPS Approved Algorithms for encryption?
- Are AD-DS password credentials stored by other Microsoft identity management components, such as ADFS? If so, what are those components?
- Does Microsoft have a strategy for supporting compliance with the Federal Identity, Credential, and Access Management (FICAM) requirements at LoA-2, perhaps through Microsoft's partnership with the Kantara Initiative? If so, what is the time frame?
- Does Microsoft have a strategy for AD integration of non-Windows and old-Windows client platforms that will use NIST/FIPS approved algorithms for transport of passwords over a network? If so, what is the time frame?
- Is it possible to configure AD so that the NetUserChangePassword and NetUserSetInfo protocols require NIST approved algorithms for encrypting the session over which the password data is passed?
- Please review "IAP Requirements and Gaps for Active Directory Domain Services" to verify the information it contains.