You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

AD-Assurance Notes from March 22

Mark Rank, UCSF

David Walker, InCommon/Internet2

Michael Brogan, UWash

Jeff Capehart, UFL

Ron Thielen, UChicago

Lee Amenya, UCSD

Jeff Whitworth, UNC-Greensboro

Eric Goodman, UCOP

Ann West, InCommon/Internet2

Next Call

March 29 at Noon ET

+1-734-615-7474 PREFERRED

+1-866-411-0013

0195240#

Action Items

Old

Ann will work with Debbie Bucci (NIH) to set up calls with Federal Agencies that have certified IdPs.

New

Notes

Ron would like your thoughts on Philisophy for audit process address some of the requirements. Parking Lot. 

If you do these things, you meet the requirement. You can meet the requirement by satisfying 2 by doing the following. Would like to do this with passwords tho so we can consider 

Matrix

4.2.3.4 only need to address one of the 3 password storage alternatives

Alternative 2 -

Bit Locker- Ron Thielen has the links and mail to the group 

  • Decrypts sectors are they are read  which meets the requirement to only decrypted when immediately needed for authn.
  • Uses AES256 optionally which is approved

Using FIPS 140--2 encrypted hard drives 

4.2.3.5 Basic Protection of authn Secrets

  1. There are tools to access the file but the admin can't just peruse the file. No gaps
  2. Disable LDAP if you don't have encrypted channel.. Poses a problem for MAC clients. Cookbook calls out what the operational issues are. Signing issue is not just a mac issue, it's a samba and linux desktop issue. 
    1. AM - Network monitoring. Monitoring for signed LDAP binds, If we see someone with silver then downgrade their assurance level. 
    2. Only AM proposal is Ron's. Enabling signing meets the requirements. If a site can't do that, then could use Ron's compensating control 

4.2.3.6 Strong Protection of Authn Secrets

1b. Protected Channel

Provisioning issue (WA has homegrown code)

Native issue for AD password replication among AD servers

Lee uses IPSec

Remove provisioning (not native AD) and keep replication

Keep a note about provisioning for implementers and off-site data centers

But focus on the synchronization

Note about the Cookbook: Provide clear direction of practices that clear the bar and which ones require AM.

Next Call: Discuss Rons' AM - 

                  Update on Bit Locker

  Update the table?  2 & 3 – Mark Rank 

Update the table – Michael

                  4.2.5.1, 4.2.5.2, 4.2.8.2.1 – can we refer back up? - Eric. If we can determine how to handle protected channels, these may fall under that. Eric will review if there are other gaps outside protected channels. 

Domain Channel replication – Lee UCSD

  • No labels