...
This document is intended to aid in configuring Active Directory to meet the requirements of the InCommon Federation's Identity Assurance Profile (IAP) for Silver level of assurance. Only sections of the IAP where there is a challenge unique to Active Directory are specifically addressed. For example, sections 4.2.3.2 and 4.2.3.3 of the IAP are *not* covered in this document because issues of brute-force guessing and password entropy pose no unique challenge to Active Directory; like most authentication services Active Directory has controls to enable password rotation, and mitigating features like account lockout.
IAP sections covered in this document:
- 4.2.3.4 Stored Authentication Secrets
- 4.2.3.5 Protected Authentication Secrets
- 4.2.5.1 Resist Replay Attack
- 4.2.5.2 Resist Eavesdropper Attack
- 4.2.5.3 Secure communication
Software changes can impact the necessary configurations, so for brevity we have limited the scope of recommendations to Active Directory on Windows Server 2008 R2 running in Windows Server 2008 Forest Functional mode. It is likely that similar protections and controls can be used with other versions of the software. This cookbook only addresses the most recent versions of the Windows Server operating system and its Active Directory Domain Services component.
...
The reader can use either of these strategies to secure authentication traffic and which is chosen is up to the reader. More about these technologies is included in the appendices.
IAP sections covered in this document:
...
.
...
4.2.3.4 Stored Authentication Secrets
...