Objective
The objective of this article is to collect individual comments on the AD Silver Cookbook during the public comment period.
Comments
Comments are presented raw with no editing unless needed to "protect the innocent"...
- Make it less scary - start out the introduction with a statement that everything doesn't have to be done at once, and with an estimate of the number of FTE involved over some amount of time to get the changes done.
- Remove "draft" and put a note in at the beginning that says that although no one has been certified using this approach yet, it is a best effort to determine what would need to be done to configure the AD portion of an environment to pass the audit. Once an institution has passed the audit and been certified using this approach, change that wording.
- Note that this is a starting point, but any institutions wishing to assert Silver should undertake to thoroughly understand the IAP and IAAF documents in relation to their own systems, with a broad understanding of the implications for those systems. The cookbook should not be taken as a manual for achieving Silver.
- I think the cookbook is laid out very well with strong consideration for the security risks in AD.
- One suggestion is that there is some mention of the need to change passwords after disabling LM Hashes. As you may already know, disabling LM Hashes in Group Policy only prevents future passwords from being stored this way. Existing passwords/user accounts will not have the LM Hash removed or overwritten until the next password reset. Without being aware of this, new institutions joining the validation program may have a period of 90 days or more (depending on password expiration policy) with remnant LM hashes on their Domain Controllers.
- Add a change log to the end with dates for each version.