Versions Compared

Old Version 15

changes.mady.by.user barkills@washington.edu

Saved on

compared with

New Version 16

changes.mady.by.user barkills@washington.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Cookbook - DRAFT

Addressing IAP Sections in version 1.1 of the IAP: http://www.incommon.org/docs/assurance/IAP_V1.1.pdf

Introduction

Scope

This document is intended to aid in configuring Active Directory to meet the requirements of the InCommon Federation's Identity Assurance Profile (IAP) for Silver level of assurance. Software changes can impact the necessary configurations, so for brevity we have limited the scope of recommendations to Active Directory on Windows Server 2008 R2 running in Windows Server 2008 Forest Functional mode. It is likely that similar protections and controls can be used with other versions of the software. This cookbook only addresses the most recent versions of the Windows Server operating system and its Active Directory Domain Services component.

Preamble
Securing Active Directory and authentication traffic is vital to achieving Silver assurance. There are two strategies that can be employed to achieve secure authentication traffic with Active Directory:

  • Encryption on the wire via IPSec
  • Encryption on the wire via LDAPS

The reader can use either of these strategies to secure authentication traffic and which is chosen is up to the reader. More about these technologies is included in the appendices.

4.2.3.2 Strong Resistance

AD Problem Statement

AD Policies or Practices to Mitigate Risk

Other Compensating Controls

Sample Management Assertion(s)

4.2.3.3 Resistance to Guessing

AD Problem Statement

AD Policies or Practices to Mitigate Risk

Other Compensating Controls

Only sections of the IAP where there is a challenge unique to Active Directory are specifically addressed. For example, sections 4.2.3.2 and 4.2.3.3 of the IAP are *not* covered in this document because issues of brute-force guessing and password entropy pose no unique challenge to Active Directory; like most authentication services Active Directory has controls to enable password rotation, and mitigating features like account lockout.

Software changes can impact the necessary configurations, so for brevity we have limited the scope of recommendations to Active Directory on Windows Server 2008 R2 running in Windows Server 2008 Forest Functional mode. It is likely that similar protections and controls can be used with other versions of the software. This cookbook only addresses the most recent versions of the Windows Server operating system and its Active Directory Domain Services component.

Preamble
Securing Active Directory and authentication traffic is vital to achieving Silver assurance. There are two strategies that can be employed to achieve secure authentication traffic with Active Directory:

  • Encryption on the wire via IPSec
  • Encryption on the wire via LDAPS

The reader can use either of these strategies to secure authentication traffic and which is chosen is up to the reader. More about these technologies is included in the appendices.

IAP sections covered in this document:Sample Management Assertion(s)

  • 4.2.3.4 Stored Authentication Secrets

AD Problem Statement

  • 4.2.3.5 Protected Authentication Secrets
  • 4.2.5.1 Resist Replay Attack
  • 4.2.5.2 Resist Eavesdropper Attack
  • 4.2.5.3 Secure communication

4.2.3.4 Stored Authentication Secrets

AD Problem Statement

The language in this section requires either a salted password The language in this section requires either a salted password to be hashed, or a non-salted password to be encrypted and only un-encrypted when immediately used for authentication, or a NIST Level 3 or 4 method.

...

Have your IT security office or equivalent set up Intrusion Detection System (IDS) rules to monitor for NTLMv1 and/or basic binds in the clear and notify any services or sources of this traffic to your AD domain controllers, reduce traffic over time, then enact GPO-based policies as described above, and/or use institutional policy to stipulate use of secure authentication methods with your AD authentication service and any supplicant services (such as requiring SSL for web sites that use forms for logins, that authenticate against your AD.) Follow up policy with audits of services, especially those that exhibit noncompliant behavior.

Sample Management Assertion(s) Wiki MarkupKerberos V uses time-based pre-authentication to protect from a dictionary attack. Our Kerberos V implementation (in this case, Active Directory) has an account lockout policy enabled *\[your lockout policy goes here\]*, which, when combined with pre-authentication, mitigates the risk of dictionary attack. When combined with adequate password complexity from section 4.2.3.3 this makes it highly improbable to be able to guess the password using an attack or to eavesdrop the password under section 4.2.5.2. \\Assertion(s) (first paragraph also applies to 4.2.3.2 & 4.2.3.3)

Secure LDAP binds using TLS are encrypted so are protected and acceptable.

...