| Issue Number | 3746 |
|---|---|
| Summary | CDR Service: NIH Active Directory Integration Spike Solution |
| Created | 2014-03-25 13:24:51 |
| Issue Type | Task |
| Submitted By | chengep |
| Assigned To | Kline, Bob (NIH/NCI) [C] |
| Status | Closed |
| Resolved | 2014-06-24 16:14:39 |
| Resolution | Fixed |
| Path | /home/bkline/backups/jira/ocecdr/issue.121452 |
Security Vulnerability: Identity/Password Management
Affects: CDR Service, CDR Admin Tool Web Site
Background/Issue Description:
The Information System Security Office (ISSO) indicated that portions of
the CDR system does not provide standard account management safe guards.
OCE needs to investigate the feasibility of mitigated this vulnerability
by integrating the CDR Service and CDR Admin Tool Web Site with NIH
Active Directory (AD). Integration with NIH AD requires a high level of
effort (LOE) due to the complexity of the CDR Service and compatibility
of the underlying technology; similarly, integration with NIH AD
requires a high LOE due to the complexity of the CDR Admin Tool.
OCE has already hashed user passwords stored in the CDR database with the SHA-1 cryptographic hash function, enable user account lockout after 10 failed login attempts, and require users to choose strong passwords. However, the ISSO has asked us to look into fully integrating with the NIH AD.
Task Description:
This task is to look at the code and prototype a solution. The lessons
learned from the prototype will further inform the feasibility of
integrating the CDR Service and Admin Tool with NIH AD. It is important
to note that the password management remediation is the same for both
the CDR Service and CDR Admin Tool. Therefore any password management
solution put in place for the CDR Service can be applied to or reused by
the CDR Admin Tool.
Initial LOE:
Estimate is that it will take 40 hours to do the prototype.
For the CDR administrative interface, we are assuming that the existing authorization mechanism will meet the requirement (as opposed to a separate requirement that we force all traffic with the web server to go through a separate authentication mechanism).
Created (with assistance from Bryan) and tested proof of concept for validating Windows domain credentials using IIS with DIGEST mode. Added table win_usr. Modified server code to create login session from Windows NIH domain account name.
R12660 /branches/Ampere/XMetaL/CdrClient/TestSecureLogin.cpp
R12661 /branches/Ampere/Database/tables.sql
R12662 /branches/Ampere/Server/CdrLogon.cpp
Elapsed: 0:00:00.001496