Content-Type: text/html

Can I get confirmation that these are the correct GPO settings and it covers everything in this notice?

[cid:<a href="/cgi-bin/wa?LOGON=A3%3Dind1112%26L%3DACTIVEDIR-L%26E%3Dquoted-printable%26P%3D4955%26B%3D--_000_0CEAAC874369534A9748FBB238AC506019A8B877UFEXCHMBXN03adu_%26T%3Dtext%252Fplain%3B%2520charset%3Dus-ascii" >[log in to unmask]</a>]

Further, if a laptop has the disk encrypted is it still required to disallow cached passwords?  Im just assuming that this would affect a remote user from logging in with cached credentials without some network connection.  Is that right?

From: Active Directory issues at UF [mailto:<a href="/cgi-bin/wa?LOGON=A3%3Dind1112%26L%3DACTIVEDIR-L%26E%3Dquoted-printable%26P%3D4955%26B%3D--_000_0CEAAC874369534A9748FBB238AC506019A8B877UFEXCHMBXN03adu_%26T%3Dtext%252Fplain%3B%2520charset%3Dus-ascii" >[log in to unmask]</a>] On Behalf Of Iain Moffat
Sent: Wednesday, November 30, 2011 11:30 AM
To: <a href="/cgi-bin/wa?LOGON=A3%3Dind1112%26L%3DACTIVEDIR-L%26E%3Dquoted-printable%26P%3D4955%26B%3D--_000_0CEAAC874369534A9748FBB238AC506019A8B877UFEXCHMBXN03adu_%26T%3Dtext%252Fplain%3B%2520charset%3Dus-ascii" >[log in to unmask]</a>
Subject: [ACTIVEDIR-L] Reminder of upcoming requirements for InCommon Silver...

Reminder Notice of required UFAD and LDAP Identity Access Management upgrades!!!
In order to comply with the requirements for the upcoming InCommon Silver Certification audit, your assistance is required along with CNS for the following security enhancements to UFAD.
The audit is planned to begin in January 2012, so the changes should be made before the end of the year.  That is coming soon....!
Changes include:
* Secure all authentication (and non-authentication) traffic with Active Directory

o   Password traffic must take place via protected channels.  Only allow connections via SSL/TLS, Kerberos, and NTLMv2 ( These measures provide alignment with InCommon Silver IAP Sections 4.2.3.5 Protected Authentication Secrets, 4.2.5.1 Resist Replay Attack, 4.2.5.2 Resist Eavesdropper Attack, 4.2.5.3 Secure communication)

o   Require signed LDAP traffic by setting the following GPO setting for Domain Controllers: Domain Controller: LDAP Server signing requirements to Require signature

o   Require signed LDAP traffic by setting the following GPO setting for Clients (workstations and servers): Network security: LDAP client signing requirements to Require signature

o   Require Kerberos or NTLMv2 Authentication by setting the following GPO setting for Domain Controllers: Network security: LAN Manager authentication level to Send NTLMv2 response only/refuse LM and NTLM
* Require Kerberos or NTLMv2 Authentication by setting the following GPO setting for Clients (workstations and servers): Network security: LAN Manager Authentication level to Send NTLMv2 response only
* Require third party applications to be reconfigured to use SSL/TLS or signed sasl binds.

* Disable the storage of LAN Manager (LM) hash values for passwords

o   Disable the storage of LM hashes of a user's passwords in the local computer's SAM database (IAP Sections 4.2.3.4 Stored Authentication Secrets)

o   Set the following GPO setting for Clients (workstations and servers): Network security: Do not store LAN Manager hash value on next password change

CNS is developing procedures to monitor and mitigate hosts authenticating but not in compliance with these security protocol enhancements.  Colleges/Departments will be able to use these tools soon to assist with compliance of these new requirements.  The tool will provide support for detection, investigation and mitigation both as we move to these more rigorous requirements and for monitoring compliance once we have achieved InCommon Certification.
For more information on the InCommon Silver Certification project at UF, please see http://www.it.ufl.edu/projects/incommonsilver.html .
Again, all colleges and departments should begin to make changes to comply with this enhancement prior to the Winter break .  It is currently planned to be ready for InCommon audit during January 2012.
Please begin making the upgrades in your area soon as the January Audit is fast approaching.
If you have questions related to the UFAD and LDAP changes please work with CNS - Open Systems Group staff and the Enterprise Systems - Identity Access Management Group.  Thanks for your attention and assistance in attaining the security improvements needed to ready UF for the upcoming identity security audit.
+++
Iain Moffat                                                             EMAIL:   <a href="/cgi-bin/wa?LOGON=A3%3Dind1112%26L%3DACTIVEDIR-L%26E%3Dquoted-printable%26P%3D4955%26B%3D--_000_0CEAAC874369534A9748FBB238AC506019A8B877UFEXCHMBXN03adu_%26T%3Dtext%252Fplain%3B%2520charset%3Dus-ascii" >[log in to unmask]</a><mailto:<a href="/cgi-bin/wa?LOGON=A3%3Dind1112%26L%3DACTIVEDIR-L%26E%3Dquoted-printable%26P%3D4955%26B%3D--_000_0CEAAC874369534A9748FBB238AC506019A8B877UFEXCHMBXN03adu_%26T%3Dtext%252Fplain%3B%2520charset%3Dus-ascii" >[log in to unmask]</a>>
Manager, Open Systems Group
Computing and Network Services                   VOICE:  +1 352 392 2061
University of Florida                                            FAX:       +1 352 392 9440
+++
P Please consider the environment before printing this email.