Sam Hartman via RT wrote: > Hi. I'm concerned about a mechanism that makes it this easy to reuse > keys. Your example of a cluster of web servers using HTTP/clustername > is OK; that's a case where you need to reuse keys. > > However, many of the other examples are cases where reusing keys would > significantly harm security. The AFS case is particularly alarming. > Pushing out the same key for anonymous cell access would decrease > security by allowing anyone with this key to impersonate the cell. Impersonating an anonymous user is actually what one would want in some environments. (Say non-AD joined machines. Copying a registry file and importing it may be simpler than setting up a file path, etc. A single registry key can contain all the needed configuration info.) The fact that you are actually authenicating but still an anonymous user allows for OpenAFS to enable encryption to the cell. The is a FEATURE in this case. (Well, it will hopefully soon be an OpenAFS feature.) I mean I can currenty set a keytab file up on a world readable network share. Taking a file and putting it in the registry doesn't fix the ability of someone to do something stupid. > I'm also concerned about whether group policy has the appropriate > confidentiality protection for this use. > How is group policy pushed to a machine? Group policy is generally implemented as a set of files in SYSVOL share on the domain controller. I'm not sure if a higher level of protection is granted to these files over normal CIFS traffic to the DC. I suspect not. Again though, the ease of configuration may outweigh the security risk in certain environments. Also note that this would not be used for per-machine host keys, which would be generated when the machine is joined to the domain. (A needed step before Group Policy can be applied to the computer.) > Is it encrypted in transit? I do not know if GPO traffic is encrypted. You can of course force encryption to the DC on using IPsec or with the security levels on the CIFS traffic. > Can a machine find out the group policy of someone else? Yes, it can by default. It would be up to GPO creator to properly ACL the Group Policy Object itself to restrict access to the proper computer accounts or users. <