<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="549321d3-4e09-40b1-a60f-171c9d7dd8a5"><ac:plain-text-body><![CDATA[ |
|
|
DS |
LDS |
FS |
RMS |
AAD [1] |
]]></ac:plain-text-body></ac:structured-macro> |
|
|
|
|
|
|
|
||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9f3ae8c1-4e98-4d2a-81d2-6af84e10aa18"><ac:plain-text-body><![CDATA[ |
4.2.3.4 |
Stored Authentication Secrets |
No Salt in Hash [2] |
No Salt in Hash [2] |
n/a |
n/a |
OOS |
|
4.2.3.5 |
Basic Protection of Authentication Secrets |
Potential alternative credential issues |
Potential alternative credential issues |
n/a |
n/a |
OOS |
||
4.2.3.6 |
Strong Protection of Authentication Secrets |
Potential alternative credential issues |
Potential alternative credential issues |
n/a |
n/a |
OOS |
||
|
|
|
|
|
|
|
||
4.2.4.5 |
Resist Token Issuance Tampering Threat? |
(Need reference; probably meets this) |
(Need reference; probably meets this) |
(Need reference; probably meets this) |
n/a |
OOS |
||
|
|
|
|
|
|
|
||
4.2.5.1 |
Resist Replay Attack |
Can support low str methods (LDAP bind, LM) |
Can support low str methods (LDAP bind, LM) |
Can support low str methods (LDAP bind) |
n/a |
OOS |
||
4.2.5.2 |
Resist Eavesdroper Attack |
Can support low str methods (LDAP bind, LM) |
Can support low str methods (LDAP bind, LM) |
Can support low str methods (LDAP bind) |
n/a |
OOS |
||
4.2.5.3 |
Secure Communication |
Handled via Non-plaintext (B) |
Handled via Non-plaintext (B) |
Handled via Non-plaintext (B) |
n/a |
OOS |
||
4.2.5.4 |
Resist Session Hijacking Threat? |
? |
? |
(Need reference?) |
n/a |
OOS |
LEGEND:
DS=Domain Services; i.e., domain controllers and associated functions
LDS=Lightweight Directory Services, formerly "ADAM/Active Directory Application Mode"
FS=Federation Services, authenticates and provides attributes, but no independent password store
RMS=Rights Management Services, supports DRM services
AAD=Azure Active Directory
(1) Azure Active Directory; For our purposes, this is out of scope; In one mode AAD is a cloud hosting of Active Directory, in which case the issues are no specific to AD, but are general re:cloud hosted services. The other AAD functions are beyond the scope of an enterprise-managed AD domain and so are also considered out of scope.
(2) The fact that these specific requirements are not met does not implicitly mean the protection is insufficient, just that it doesn't meet the letter of the requirements