There have been a lot of discussions recently about NSA snooping on data traffic between servers. Microsoft has been extremely quiet and evasive about where in the transfer the data is unencrypted between Microsoft Servers.
A couple of weeks ago, Ars Technica had the following article where Microsoft’s Dorothee Belz, EMEA VP for Legal and Corporate Affairs, said “Generally, what I can say today is server-to-server transportation is generally not encrypted. This is why we are currently reviewing our security system.”
Yesterday (November 5th, 2013), Slashdot posted an article called Microsoft’s NSA ‘Transparency’ Push Remains Pretty Opaque. So far, nothing has changed.
So, what does this have to do with Capitalware’s MQAUSX product? Well, it goes like this: If a customer installs the MQAUSX on a Windows 2003/2008/2012 Server and the MQAdmin sets the authentication target as Microsoft’s Active Directory, is there a security exposure of the user credentials?
Why am I concerned? When customers purchase MQAUSX and implement the MQAUSX client-side security exit, they expect that the user credentials will remain encrypted for the entire communication process. But with Microsoft’s silence on this issue, customers who use MQAUSX on a Windows Server, do not know what to expect when MQAUSX issues a Windows API call to perform authentication against Active Directory. Is the data traffic (UserID and Password) between Windows Server and Active Directory encrypted or unencrypted? That’s my $64,000 question.
If NSA is snooping on data traffic then that would be one of the best places to snoop.
Therefore, until we know for sure or Microsoft issues a public statement that the data traffic is encrypted between Windows Server and Active Directory (or issues a patch), Capitalware recommends that customers switch to an authentication format that is encrypted. Since Active Directory supports LDAP V3 style authentication, Capitalware recommends using LDAP over SSL connection to Active Directory. By doing this, no one can snoop at the user credentials as they are passed from a Windows Server to Active Directory.
Regards,
Roger Lacroix
Capitalware Inc.