Versions Compared

Old Version 27

changes.mady.by.user David Walker

Saved on

compared with

New Version 38

changes.mady.by.user David Walker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Finally, universities are (multi-vendor) "BYOD" environments. While standards for end-user devices are often established, typically little enforcement is exercised over the types and configuration of devices that may be used to access services.  It is important that services be capable of protecting themselves from non-compliant end-user behavior.

...

  1. Protected Channels - IAP 4.2.3.6.1b - Gaps
    1. RC4 HMAC encryption is not NIST or FIPS approved, and we would like to determine if it's comparable to those methodologies that are.  Can you help with this? (See http://www.incommon.org/assurance/alternativemeans.html for the criteria we will consider.)
    2. Currently, it is not very practical to crack RC4 HMAC, even though it has long-known vulnerabilities.  If that were to change (e.g., a simple crack program posted on the Internet), does Microsoft have a response procedure for such compromises? How will this procedure protect Microsoft's customers that may be operating at LoA-2 via an alternate means exception?
    3. What encryption algorithms does Windows Secure Channel use? 
    4. What's the impact of turning on the FIPS setting on all Domain Clients? What's the impact on Domain Controllers?
    5. As NIST has observed, the initial key used by Kerberos is typically encrypted only by the user's password, which enables brute force attacks against the password.  Does AD have mitigation for this?  Does NTLMv2 also have this vulnerability?
  2. What should one do to enable distinguishing between NTLM v1 and v2 in the logs? We would like to downgrade a user's assurance level if they access a service that employs NTLM v1.  To generalize, we're looking to detect the overall technical context of the authentication event: protocol, encryption algorithm, tunnel, client platform options, etc.  Is this information available?
  3. When BitLocker full disk encryption is used are disk sectors decrypted only as they are read? What is the recommended/supported BitLocker configuration for use with AD-DS?
  4. Does Syskey use NIST/FIPS Approved Algorithms for encryption?
  5. Are AD-DS password credentials replicated and stored by other Microsoft identity management components, such as ADFS or Azure services?  If so, what are those components?
  6. Does Microsoft have a strategy for supporting compliance with the Federal Identity, Credential, and Access Management (FICAM) requirements at LoA-2, perhaps through Microsoft's partnership with the Kantara Initiative? If so, what is the time frame?
  7. Does Microsoft have a strategy for AD integration of non-Windows and old-Windows client platforms that will use NIST/FIPS approved algorithms for transport of passwords over a network? If so, what is the time frame?
  8. Is it possible to configure AD so that the NetUserChangePassword and NetUserSetInfo protocols require NIST approved algorithms for encrypting the session over which the password data is passed?
  9. Please review Reviewing "IAP Requirements and Gaps for Active Directory Domain Services" to verify the information it contains.overall, are there other issues we should address?