Page History

AD-Assurance Notes from March 22

Mark Rank, UCSF
David Walker, InCommon/Internet2
Michael Brogan, UWash
Jeff Capehart, UFL
Ron Thielen, UChicago
Lee Amenya, UCSD
Jeff Whitworth, UNC-Greensboro
Eric Goodman, UCOP
Ann West, InCommon/Internet2
Next Call

March 29 at Noon ET
+1-734-615-7474 PREFERRED
+1-866-411-0013
0195240#
Agenda: Ron's AM, updates to AIs and impacts on the matrix, next matrix criteria

Action Items

Old

Ann will work with Debbie Bucci (NIH) to set up calls with Federal Agencies that have certified IdPs.

New

Notes

Ron would like your thoughts on Philisophy for audit process address some of the requirements. Parking Lot. 

If you do these things, you meet the requirement. You can meet the requirement by satisfying 2 by doing the following. Would like to do this with passwords tho so we can consider 

Ron will upload Bit Locker information to the wiki.
Lee will check into recommendations for AD password store replication.
Mark to fill in 4.2.3.6.2 and 3.
Michael to update the existing rows to reflect today's discussion.
Eric to fill in 4.2.5.1, 4.2.5.2, 4.2.8.2.1. If we can determine how to handle protected channels, these may fall out under that. Eric will review if there are other gaps besides protected channels.

Notes

Ron would like a peer review of his Alternative Means document on the wiki.  We'll include this on the agenda of the next call, but folks are encouraged to comment in email. 

Matrix DiscussionMatrix

4.2.3.4 Stored Authn Secrets (S)

Only only need to address one of the 3 password storage alternatives

Alternative 2 2 

\[AI\] Ron will upload Bit

 Locker information to the wiki. 

• Decrypts sectors are they are read  which meets the requirement to only decrypted when immediately needed for authn.
• Uses AES256 optionally which is approved

Using Could also use FIPS 140--2 encrypted hard drives 

4.2.3.5 Basic Protection of authn Authn Secrets

1. There are tools to access the file but the admin can't just peruse the file. No gaps
2. Enable signed LDAP connections. Disable LDAP if you doncan't have support encrypted channel. . Poses This option poses a problem for MAC clients. Cookbook calls out what the operational issues are. Signing issue is not just a mac issue, it's a samba and linux desktop issue.  , SAMBA, and Linux clients, as mentioned in the Cookbook. 
   1. Ron's
   2. AM - Network monitoring . Monitoring for signed LDAP binds, If we see someone with silver then downgrade their assurance level. Only AM proposal is Ron's. Enabling signing meets the requirements. If a site can't do that, then could use Ron's compensating control 

4.2.3.6 Strong Protection of Authn Secrets

1b. Protected Channel

Provisioning issue (WA has homegrown code)

Native issue for AD password Focus on native issues for AD. Only identified use case was password store replication among AD servers.

• Wiki Markup
  Lee uses

...

• IPSec \[AI\] Lee will check into recommendations for AD password store replication. 

• Keep a note about provisioning for implementers and off-site data centers

...

Note about the Cookbook: Provide clear direction of about practices that clear the bar and which ones require AM.

Next Call: Discuss Rons' AM - 

                  Update on Bit Locker

  Update the table?  2 & 3 – Mark Rank 

Update the table – Michael

\[AI\] Mark to fill in 4.2.3.6.2 and 3.

\[AI\] Michael to update the existing rows to reflect today's discussion

\[AI\] Eric to fill in 

4.2.5.1, 4.2.5.2, 4.2.8.2.1

. If we can determine how to handle protected channels, these may fall out under that. Eric will review if there are other gaps besides protected channels.