AD-Assurance Notes from March 22
Mark Rank, UCSF
David Walker, InCommon/Internet2
Michael Brogan, UWash
Jeff Capehart, UFL
Ron Thielen, UChicago
Lee Amenya, UCSD
Jeff Whitworth, UNC-Greensboro
Eric Goodman, UCOP
Ann West, InCommon/Internet2
Next Call
March 29 at Noon ET
+1-734-615-7474 PREFERRED
+1-866-411-0013
0195240#
Agenda: Ron's AM, updates to AIs and impacts on the matrix, next matrix criteria
Action Items
Old
Ann will work with Debbie Bucci (NIH) to set up calls with Federal Agencies that have certified IdPs.
New
Notes
Ron would like your thoughts on Philisophy for audit process address some of the requirements. Parking Lot.
If you do these things, you meet the requirement. You can meet the requirement by satisfying 2 by doing the following. Would like to do this with passwords tho so we can consider
Ron will upload Bit Locker information to the wiki.
Lee will check into recommendations for AD password store replication.
Mark to fill in 4.2.3.6.2 and 3.
Michael to update the existing rows to reflect today's discussion.
Eric to fill in 4.2.5.1, 4.2.5.2, 4.2.8.2.1. If we can determine how to handle protected channels, these may fall out under that. Eric will review if there are other gaps besides protected channels.
Notes
Ron would like a peer review of his Alternative Means document on the wiki. We'll include this on the agenda of the next call, but folks are encouraged to comment in email.
Matrix DiscussionMatrix
4.2.3.4 Stored Authn Secrets (S)
Only only need to address one of the 3 password storage alternatives
Alternative 2 2
unmigrated-wiki-markup |
---|
\[AI\] Ron will upload Bit |
Locker information to the wiki. |
- Decrypts sectors are they are read which meets the requirement to only decrypted when immediately needed for authn.
- Uses AES256 optionally which is approved
Using Could also use FIPS 140--2 encrypted hard drives
4.2.3.5 Basic Protection of authn Authn Secrets
- There are tools to access the file but the admin can't just peruse the file. No gaps
- Enable signed LDAP connections. Disable LDAP if you doncan't have support encrypted channel. . Poses This option poses a problem for MAC clients. Cookbook calls out what the operational issues are. Signing issue is not just a mac issue, it's a samba and linux desktop issue. , SAMBA, and Linux clients, as mentioned in the Cookbook.
4.2.3.6 Strong Protection of Authn Secrets
1b. Protected Channel
Provisioning issue (WA has homegrown code)
Native issue for AD password Focus on native issues for AD. Only identified use case was password store replication among AD servers.
Wiki Markup Lee uses
...
IPSec \[AI\] Lee will check into recommendations for AD password store replication.
- Keep a note about provisioning for implementers and off-site data centers
...
Note about the Cookbook: Provide clear direction of about practices that clear the bar and which ones require AM.
Next Call: Discuss Rons' AM -
Update on Bit Locker
Update the table? 2 & 3 – Mark Rank
Update the table – Michael
Wiki Markup |
---|
\[AI\] Mark to fill in 4.2.3.6.2 and 3. |
Wiki Markup |
---|
\[AI\] Michael to update the existing rows to reflect today's discussion |
Wiki Markup |
---|
\[AI\] Eric to fill in |
4.2.5.1, 4.2.5.2, 4.2.8.2.1 |
Domain Channel replication – Lee UCSD
. If we can determine how to handle protected channels, these may fall out under that. Eric will review if there are other gaps besides protected channels. |