IAP v1.2 Section |
Requirements (paraphrased) |
AD-DS |
Gaps |
4.2.3.4 - Stored Authentication Secrets (S) |
Do not store passwords as plaintext. Limit access to admins and apps that require access. |
Passwords are stored in the ntds.dit file. They are not stored as plaintext. The operating system normally prevents access to the file. |
No gaps. |
4.2.3.5 - Basic Protection of Authentication Secrets (B) |
1. Do not store passwords as plaintext. Limit access to admins and apps that require access. |
1. Passwords are stored in the ntds.dit file. They are not stored as plaintext. The operating system normally prevents access to the file. |
1. No gaps |
4.2.3.6 - Strong Protection of Authentication Secrets (S) |
1a. Any credential store with passwords used by the IdP or verifier is subject to 4.2.3.4 and 4.2.8. |
1a. See the relevant sections in this table. |
1a. See the relevant sections in this table. |
4.2.5.1 - Resist Replay Attack (B, S) |
Ensure it's impractical to achieve authentication by recording and replaying a previous authentication message. |
Can support low str methods (LDAP bind, LM) Kerb replay concerns |
|
4.2.5.2 - Resist Eavesdropper Attack (B, S) |
Ensure it's impractical to learn the password or otherwise obtain information that would allow impersonation of a subject by network eavesdropping. |
Can support low str methods (LDAP bind, LM) |
|
4.2.8.2.1 - Network Security (S) |
Protected Channels should be used for communication between IdMS systems. |
|
|
Definitions from the Identity Assurance Assessment Framework:
- Approved Algorithm - Any implementation of an algorithm or technique specified in a FIPS standard or NIST recommendation, or any algorithm or technique that conforms to an alternative means identitified by InCommon as approved for specified IAPs.
- Protected Channel - A Protected Channel uses cryptographic methods that implement an Approved Algorithm to provide integrity and confidentiality protection, resistance to replay and man-in-the-middle attacks, and mtual authentication.