?
Solved

FIPS Encryption and TLS

Posted on 2013-11-04
9
Medium Priority
?
776 Views
Last Modified: 2013-11-15
Hello

I need to apply FIPS and TLS on all Servers RDP Connections.

So I'm basically requiring

Security Layer : TLS
Encryption Layer : FIPS

But I need to under the concepts and requirements before I make the changes

---
I've read the following related article but I'm unsre if RDP Channel referes to RDP Security layer setting or overall?

http://support.microsoft.com/kb/811833




thanks
0
Comment
Question by:nico-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 39623407
The registry modifications to the schannel,crypt section limits the available encryptions available for the connections
I.e. 128 bit and higher.
Then the encryption options are limited.  Note this restriction is applicable to all SSL on the server including IIS.
0
 

Author Comment

by:nico-
ID: 39623616
Hello

Thank you for the reply but that didn't really answer the question.

I'm specifically after finding out if FIPS is dependent on TLS

Thanks
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39623639
FIPS is a set of standards.

For example, FIPS 197 details the AES cipher, whereas FIPS 140 details the security requirements for cryptography modules.

You can use FIPS-compliant features in conjunction with TLS, not only with TLS.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:nico-
ID: 39623705
Hi Craigback

would you mind sending an artcile or something that gives some more description about FIPS compliant features can be used with TLS but not exclusively.  I'm searching around at the same time as I'm using FIPS and Negotiate, but I'm looking for an article that explains the "You can use FIPS-compliant features in conjunction with TLS, not only with TLS. " bit in more detail.

Thanks
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39623824
Ok, so are you talking about FIPS 140-2 specifically, for example.

If so, then yes you must use TLS when implementing FIPS-compliant security.
0
 

Author Comment

by:nico-
ID: 39623843
Hi Craigback

Would you mind backing the comments up with references to technet articles/forum articles please ?

Thank you
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39623886
The link you posted pretty much explains everything you need to know...

From the link -
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
This policy is only advisory to applications. Therefore, if you enable the policy, it does not make sure that all applications will comply. The following of areas in the operating system will be affected by this setting:
This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on a server that is running IIS, only Web browsers that support TLS 1.0 can connect. If this setting is enabled on a client, all Schannel clients, such as Microsoft Internet Explorer, can only connect to servers that support the TLS 1.0 protocol. For a list of cipher suites supported when the setting is enabled see the Cipher Suites in Schannel topic.
The key here is "This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol."

You can use other FIPS-compliant protocols and ciphers for different uses, but in this case TLS must be used, as the link explains.
0
 

Author Comment

by:nico-
ID: 39624032
I've been asking around the security section here and the thoughts on that setting you mention is system wide.

creating a GPP which sets the minencryption level to 4 would appear to only affect RDP:-

Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp

The security layer is set to negotitate.

I suppose I'll only really know if I set the TS Client setting to Require Authentication.  
The security layer set to negotiate doesn't guarentee TLS
0
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 39624210
A lot lies not on the client but also the server as both negotiate for the common crypto suite. By default, RDP contains the following significant risks that should be addressed before placing an RDP server into production below. FIPS and TLS is just an aspect of crypto (even then BEAST attack and SSL THC attack has their past wins), I see we need a more complete picture for secure implementation

Private key disclosure - certificate use
Use of weak encryption for RDP communications - high level encryption
Use of weak encryption for RPC over RDP communications - enforce policy
Acceptance of stored login credentials on clients - use existing authentication
Enabling Network Layer Authentication - network sec layered to deter mitm and replay

http://www.fishnetsecurity.com/6labs/blog/remote-desktop-protocol-security-creating-successful-implementation
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month9 days, 18 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question