Solved

FIPS Encryption and TLS

Posted on 2013-11-04
9
762 Views
Last Modified: 2013-11-15
Hello

I need to apply FIPS and TLS on all Servers RDP Connections.

So I'm basically requiring

Security Layer : TLS
Encryption Layer : FIPS

But I need to under the concepts and requirements before I make the changes

---
I've read the following related article but I'm unsre if RDP Channel referes to RDP Security layer setting or overall?

http://support.microsoft.com/kb/811833




thanks
0
Comment
Question by:nico-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39623407
The registry modifications to the schannel,crypt section limits the available encryptions available for the connections
I.e. 128 bit and higher.
Then the encryption options are limited.  Note this restriction is applicable to all SSL on the server including IIS.
0
 

Author Comment

by:nico-
ID: 39623616
Hello

Thank you for the reply but that didn't really answer the question.

I'm specifically after finding out if FIPS is dependent on TLS

Thanks
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39623639
FIPS is a set of standards.

For example, FIPS 197 details the AES cipher, whereas FIPS 140 details the security requirements for cryptography modules.

You can use FIPS-compliant features in conjunction with TLS, not only with TLS.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:nico-
ID: 39623705
Hi Craigback

would you mind sending an artcile or something that gives some more description about FIPS compliant features can be used with TLS but not exclusively.  I'm searching around at the same time as I'm using FIPS and Negotiate, but I'm looking for an article that explains the "You can use FIPS-compliant features in conjunction with TLS, not only with TLS. " bit in more detail.

Thanks
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39623824
Ok, so are you talking about FIPS 140-2 specifically, for example.

If so, then yes you must use TLS when implementing FIPS-compliant security.
0
 

Author Comment

by:nico-
ID: 39623843
Hi Craigback

Would you mind backing the comments up with references to technet articles/forum articles please ?

Thank you
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39623886
The link you posted pretty much explains everything you need to know...

From the link -
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
This policy is only advisory to applications. Therefore, if you enable the policy, it does not make sure that all applications will comply. The following of areas in the operating system will be affected by this setting:
This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on a server that is running IIS, only Web browsers that support TLS 1.0 can connect. If this setting is enabled on a client, all Schannel clients, such as Microsoft Internet Explorer, can only connect to servers that support the TLS 1.0 protocol. For a list of cipher suites supported when the setting is enabled see the Cipher Suites in Schannel topic.
The key here is "This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol."

You can use other FIPS-compliant protocols and ciphers for different uses, but in this case TLS must be used, as the link explains.
0
 

Author Comment

by:nico-
ID: 39624032
I've been asking around the security section here and the thoughts on that setting you mention is system wide.

creating a GPP which sets the minencryption level to 4 would appear to only affect RDP:-

Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp

The security layer is set to negotitate.

I suppose I'll only really know if I set the TS Client setting to Require Authentication.  
The security layer set to negotiate doesn't guarentee TLS
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39624210
A lot lies not on the client but also the server as both negotiate for the common crypto suite. By default, RDP contains the following significant risks that should be addressed before placing an RDP server into production below. FIPS and TLS is just an aspect of crypto (even then BEAST attack and SSL THC attack has their past wins), I see we need a more complete picture for secure implementation

Private key disclosure - certificate use
Use of weak encryption for RDP communications - high level encryption
Use of weak encryption for RPC over RDP communications - enforce policy
Acceptance of stored login credentials on clients - use existing authentication
Enabling Network Layer Authentication - network sec layered to deter mitm and replay

http://www.fishnetsecurity.com/6labs/blog/remote-desktop-protocol-security-creating-successful-implementation
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question