You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="549321d3-4e09-40b1-a60f-171c9d7dd8a5"><ac:plain-text-body><![CDATA[

 

 

DS

LDS

FS

RMS

AAD [1]

]]></ac:plain-text-body></ac:structured-macro>

 

 

 

 

 

 

 

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9f3ae8c1-4e98-4d2a-81d2-6af84e10aa18"><ac:plain-text-body><![CDATA[

4.2.3.4

Stored Authentication Secrets

No Salt in Hash [2]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="71f76c31-b0f6-43d3-a9d3-a3526acf7312"><ac:plain-text-body><![CDATA[Not a FIPS approved method [2]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a16c986d-c4a7-4373-9f24-bd8828fecaaf"><ac:plain-text-body><![CDATA[Can support low str methods (LM, NTLM)

No Salt in Hash [2]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="14ddd48a-d025-45b3-86ad-9ed063b0272a"><ac:plain-text-body><![CDATA[Not a FIPS approved method [2]
]]></ac:plain-text-body></ac:structured-macro>
Can support low str methods (LM, NTLM)

n/a

n/a

OOS
(Out of 
scope)

4.2.3.5

Basic Protection of Authentication Secrets

Potential alternative credential issues
   (e.g., certs, cross-realm trust)
Cached credentials
Non-plaintext

Potential alternative credential issues
   (e.g., certs, cross-realm trust)
Cached credentials
Non-plaintext

n/a

n/a

OOS

4.2.3.6

Strong Protection of Authentication Secrets

Potential alternative credential issues
   (e.g., certs, cross-realm trust)
Cached credentials
   (claims "generally meets the standard")
Potential non-Protected Channels
Requires policy for 3rd party risk mitigation

Potential alternative credential issues
   (e.g., certs, cross-realm trust)
Cached credentials
   (claims "generally meets the standard")
Potential non-Protected Channels
Requires policy for 3rd party risk mitigation

n/a

n/a

OOS

 

 

 

 

 

 

 

4.2.4.5

Resist Token Issuance Tampering Threat?

(Need reference; probably meets this)

(Need reference; probably meets this)

(Need reference; probably meets this)

n/a

OOS

 

 

 

 

 

 

 

4.2.5.1

Resist Replay Attack

Can support low str methods (LDAP bind, LM)
Kerb replay concerns

Can support low str methods (LDAP bind, LM)
Kerb replay concerns

Can support low str methods (LDAP bind)

n/a

OOS

4.2.5.2

Resist Eavesdroper Attack

Can support low str methods (LDAP bind, LM)

Can support low str methods (LDAP bind, LM)

Can support low str methods (LDAP bind)

n/a

OOS

4.2.5.3

Secure Communication

Handled via Non-plaintext (B)
Requires Protected Channels + policy (S)

Handled via Non-plaintext (B)
Requires Protected Channels + policy (S)

Handled via Non-plaintext (B)
Requires Protected Channels + policy (S)

n/a

OOS

4.2.5.4

Resist Session Hijacking Threat?

?

?

(Need reference?)

n/a

OOS

LEGEND:

DS=Domain Services; i.e., domain controllers and associated functions

LDS=Lightweight Directory Services, formerly "ADAM/Active Directory Application Mode"

FS=Federation Services, authenticates and provides attributes, but no independent password store

RMS=Rights Management Services, supports DRM services

AAD=Azure Active Directory

(1) Azure Active Directory; For our purposes, this is out of scope; In one mode AAD is a cloud hosting of Active Directory, in which case the issues are no specific to AD, but are general re:cloud hosted services. The other AAD functions are beyond the scope of an enterprise-managed AD domain and so are also considered out of scope.

(2) The fact that these specific requirements are not met does not implicitly mean the protection is insufficient, just that it doesn't meet the letter of the requirements

  • No labels