AD-Assurance Notes from March 22
Mark Rank, UCSF
David Walker, InCommon/Internet2
Michael Brogan, UWash
Jeff Capehart, UFL
Ron Thielen, UChicago
Lee Amenya, UCSD
Jeff Whitworth, UNC-Greensboro
Eric Goodman, UCOP
Ann West, InCommon/Internet2
Next Call
March 29 at Noon ET
+1-734-615-7474 PREFERRED
+1-866-411-0013
0195240#
Action Items
Old
Ann will work with Debbie Bucci (NIH) to set up calls with Federal Agencies that have certified IdPs.
New
Notes
Ron would like your thoughts on Philisophy for audit process address some of the requirements. Parking Lot.
If you do these things, you meet the requirement. You can meet the requirement by satisfying 2 by doing the following. Would like to do this with passwords tho so we can consider
Matrix
4.2.3.4 only need to address one of the 3 password storage alternatives
Alternative 2 -
Bit Locker- Ron Thielen has the links and mail to the group
- Decrypts sectors are they are read which meets the requirement to only decrypted when immediately needed for authn.
- Uses AES256 optionally which is approved
Using FIPS 140--2 encrypted hard drives
4.2.3.5 Basic Protection of authn Secrets
- There are tools to access the file but the admin can't just peruse the file. No gaps
- Disable LDAP if you don't have encrypted channel.. Poses a problem for MAC clients. Cookbook calls out what the operational issues are. Signing issue is not just a mac issue, it's a samba and linux desktop issue.
- AM - Network monitoring. Monitoring for signed LDAP binds, If we see someone with silver then downgrade their assurance level.
- Only AM proposal is Ron's. Enabling signing meets the requirements. If a site can't do that, then could use Ron's compensating control
4.2.3.6 Strong Protection of Authn Secrets
1b. Protected Channel
Provisioning issue (WA has homegrown code)
Native issue for AD password replication among AD servers
Lee uses IPSec
Remove provisioning (not native AD) and keep replication
Keep a note about provisioning for implementers and off-site data centers
But focus on the synchronization
Note about the Cookbook: Provide clear direction of practices that clear the bar and which ones require AM.
Next Call: Discuss Rons' AM -
Update on Bit Locker
Update the table? 2 & 3 – Mark Rank
Update the table – Michael
4.2.5.1, 4.2.5.2, 4.2.8.2.1 – can we refer back up? - Eric. If we can determine how to handle protected channels, these may fall under that. Eric will review if there are other gaps outside protected channels.
Domain Channel replication – Lee UCSD