Received: from smtp110.sbc.mail.mud.yahoo.com (smtp110.sbc.mail.mud.yahoo.com [68.142.198.209]) by krbdev.mit.edu (8.12.9) with SMTP id l9ILG5HW025152; Thu, 18 Oct 2007 17:16:06 -0400 (EDT)
Received: (qmail 19493 invoked from network); 18 Oct 2007 21:16:00 -0000
Received: from unknown (HELO CDCHOME) (chrisclausen@sbcglobal.net@76.199.12.124 with login) by smtp110.sbc.mail.mud.yahoo.com with SMTP; 18 Oct 2007 21:15:59 -0000
X-Ymail-Osg: 1TPLRJsVM1k.mID17rhh4_2TFRRfS4vItTrbjvvcofd7xbzcYgmT8.FStVDu_ooXGhFd6tfwbg--
Message-ID: <0DC2DF0B92644759B948FABF330164A5@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <rt@krbdev.mit.edu>
References: <rt-5821-25574.9.94199185226513@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #5821] REQ: in-registry keytab support
Date: Thu, 18 Oct 2007 16:15:26 -0500
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-Mimeole: Produced By Microsoft MimeOLE V6.00.3790.4133
X-Rfc2646: Format=Flowed; Original
RT-Send-Cc: 
X-RT-Original-Encoding: iso-8859-1
Content-Length: 2318

Sam Hartman via RT <rt@krbdev.mit.edu> wrote:
> Hi.  I'm concerned about a mechanism that makes it this easy to reuse
> keys.  Your example of a cluster of web servers using HTTP/clustername
> is OK; that's a case where you need to reuse keys.
>
> However, many of the other examples are cases where reusing keys would
> significantly harm security.  The AFS case is particularly alarming.
> Pushing out the same key for anonymous cell access would decrease
> security by allowing anyone with this key to impersonate the cell.

Impersonating an anonymous user is actually what one would want in some 
environments.  (Say non-AD joined machines.  Copying a registry file and 
importing it may be simpler than setting up a file path, etc.  A single 
registry key can contain all the needed configuration info.)  The fact 
that you are actually authenicating but still an anonymous user allows 
for OpenAFS to enable encryption to the cell.  The is a FEATURE in this 
case.  (Well, it will hopefully soon be an OpenAFS feature.)

I mean I can currenty set a keytab file up on a world readable network 
share.  Taking a file and putting it in the registry doesn't fix the 
ability of someone to do something stupid.

> I'm also concerned about whether group policy has the appropriate
> confidentiality protection for this use.
> How is group policy pushed to a machine?

Group policy is generally implemented as a set of files in SYSVOL share 
on the domain controller.  I'm not sure if a higher level of protection 
is granted to these files over normal CIFS traffic to the DC.  I suspect 
not.  Again though, the ease of configuration may outweigh the security 
risk in certain environments.

Also note that this would not be used for per-machine host keys, which 
would be generated when the machine is joined to the domain.  (A needed 
step before Group Policy can be applied to the computer.)

> Is it encrypted in transit?

I do not know if GPO traffic is encrypted.  You can of course force 
encryption to the DC on using IPsec or with the security levels on the 
CIFS traffic.

> Can a machine find out the group policy of someone else?

Yes, it can by default.  It would be up to GPO creator to properly ACL 
the Group Policy Object itself to restrict access to the proper computer 
accounts or users.

<<CDC