Solved

FIPS Encryption and TLS

Posted on 2013-11-04
9
713 Views
Last Modified: 2013-11-15
Hello

I need to apply FIPS and TLS on all Servers RDP Connections.

So I'm basically requiring

Security Layer : TLS
Encryption Layer : FIPS

But I need to under the concepts and requirements before I make the changes

---
I've read the following related article but I'm unsre if RDP Channel referes to RDP Security layer setting or overall?

http://support.microsoft.com/kb/811833




thanks
0
Comment
Question by:nico-
9 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39623407
The registry modifications to the schannel,crypt section limits the available encryptions available for the connections
I.e. 128 bit and higher.
Then the encryption options are limited.  Note this restriction is applicable to all SSL on the server including IIS.
0
 

Author Comment

by:nico-
ID: 39623616
Hello

Thank you for the reply but that didn't really answer the question.

I'm specifically after finding out if FIPS is dependent on TLS

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39623639
FIPS is a set of standards.

For example, FIPS 197 details the AES cipher, whereas FIPS 140 details the security requirements for cryptography modules.

You can use FIPS-compliant features in conjunction with TLS, not only with TLS.
0
 

Author Comment

by:nico-
ID: 39623705
Hi Craigback

would you mind sending an artcile or something that gives some more description about FIPS compliant features can be used with TLS but not exclusively.  I'm searching around at the same time as I'm using FIPS and Negotiate, but I'm looking for an article that explains the "You can use FIPS-compliant features in conjunction with TLS, not only with TLS. " bit in more detail.

Thanks
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39623824
Ok, so are you talking about FIPS 140-2 specifically, for example.

If so, then yes you must use TLS when implementing FIPS-compliant security.
0
 

Author Comment

by:nico-
ID: 39623843
Hi Craigback

Would you mind backing the comments up with references to technet articles/forum articles please ?

Thank you
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39623886
The link you posted pretty much explains everything you need to know...

From the link -
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
This policy is only advisory to applications. Therefore, if you enable the policy, it does not make sure that all applications will comply. The following of areas in the operating system will be affected by this setting:
This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on a server that is running IIS, only Web browsers that support TLS 1.0 can connect. If this setting is enabled on a client, all Schannel clients, such as Microsoft Internet Explorer, can only connect to servers that support the TLS 1.0 protocol. For a list of cipher suites supported when the setting is enabled see the Cipher Suites in Schannel topic.
The key here is "This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol."

You can use other FIPS-compliant protocols and ciphers for different uses, but in this case TLS must be used, as the link explains.
0
 

Author Comment

by:nico-
ID: 39624032
I've been asking around the security section here and the thoughts on that setting you mention is system wide.

creating a GPP which sets the minencryption level to 4 would appear to only affect RDP:-

Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp

The security layer is set to negotitate.

I suppose I'll only really know if I set the TS Client setting to Require Authentication.  
The security layer set to negotiate doesn't guarentee TLS
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39624210
A lot lies not on the client but also the server as both negotiate for the common crypto suite. By default, RDP contains the following significant risks that should be addressed before placing an RDP server into production below. FIPS and TLS is just an aspect of crypto (even then BEAST attack and SSL THC attack has their past wins), I see we need a more complete picture for secure implementation

Private key disclosure - certificate use
Use of weak encryption for RDP communications - high level encryption
Use of weak encryption for RPC over RDP communications - enforce policy
Acceptance of stored login credentials on clients - use existing authentication
Enabling Network Layer Authentication - network sec layered to deter mitm and replay

http://www.fishnetsecurity.com/6labs/blog/remote-desktop-protocol-security-creating-successful-implementation
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now