...
This document is intended to aid in configuring Active Directory to meet the requirements of the InCommon Federation's Identity Assurance Profile (IAP) for Silver level of assurance. Only sections of the IAP where there is a challenge unique to Active Directory are specifically addressed. For example, sections 4.2.3.2 and 4.2.3.3 of the IAP are not covered in this document because issues of brute-force guessing and password entropy pose no unique challenge to Active Directory; like most authentication services Active Directory has controls to enable password rotation, and mitigating features like account lockout, and configuring these controls to meet those IAP sections is an exercise that requires no knowledge unique to AD. This document is intended to address real-world risk mitigation in a production AD forest in use in a higher education environment. As with any change to a production environment, customization of recommendations for your AD forest and its clients, careful planning, testing, impact assessment, communication and risk mitigation of the changes deemed necessary should be a part of your implementation of the recommendations of this cookbook. AD likely does not stand by itself in most higher education authentication and authorization infrastructures. Other authentication components in your environment which are out of the scope of this document should also be assessed for compliance with InCommon Silver. Any institution undertaking a Silver implementation project should carefully read the InCommon Identity Assurance Profiles and the Identity Assurance Assessment Framework (both available from the Assurance section of the InCommon web site). You should thoroughly understand these documents, and determine the remediations needed in your specific environment.
...