Solved

FIPS Encryption and TLS

Posted on 2013-11-04
9
725 Views
Last Modified: 2013-11-15
Hello

I need to apply FIPS and TLS on all Servers RDP Connections.

So I'm basically requiring

Security Layer : TLS
Encryption Layer : FIPS

But I need to under the concepts and requirements before I make the changes

---
I've read the following related article but I'm unsre if RDP Channel referes to RDP Security layer setting or overall?

http://support.microsoft.com/kb/811833




thanks
0
Comment
Question by:nico-
9 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39623407
The registry modifications to the schannel,crypt section limits the available encryptions available for the connections
I.e. 128 bit and higher.
Then the encryption options are limited.  Note this restriction is applicable to all SSL on the server including IIS.
0
 

Author Comment

by:nico-
ID: 39623616
Hello

Thank you for the reply but that didn't really answer the question.

I'm specifically after finding out if FIPS is dependent on TLS

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39623639
FIPS is a set of standards.

For example, FIPS 197 details the AES cipher, whereas FIPS 140 details the security requirements for cryptography modules.

You can use FIPS-compliant features in conjunction with TLS, not only with TLS.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:nico-
ID: 39623705
Hi Craigback

would you mind sending an artcile or something that gives some more description about FIPS compliant features can be used with TLS but not exclusively.  I'm searching around at the same time as I'm using FIPS and Negotiate, but I'm looking for an article that explains the "You can use FIPS-compliant features in conjunction with TLS, not only with TLS. " bit in more detail.

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39623824
Ok, so are you talking about FIPS 140-2 specifically, for example.

If so, then yes you must use TLS when implementing FIPS-compliant security.
0
 

Author Comment

by:nico-
ID: 39623843
Hi Craigback

Would you mind backing the comments up with references to technet articles/forum articles please ?

Thank you
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39623886
The link you posted pretty much explains everything you need to know...

From the link -
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
This policy is only advisory to applications. Therefore, if you enable the policy, it does not make sure that all applications will comply. The following of areas in the operating system will be affected by this setting:
This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on a server that is running IIS, only Web browsers that support TLS 1.0 can connect. If this setting is enabled on a client, all Schannel clients, such as Microsoft Internet Explorer, can only connect to servers that support the TLS 1.0 protocol. For a list of cipher suites supported when the setting is enabled see the Cipher Suites in Schannel topic.
The key here is "This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol."

You can use other FIPS-compliant protocols and ciphers for different uses, but in this case TLS must be used, as the link explains.
0
 

Author Comment

by:nico-
ID: 39624032
I've been asking around the security section here and the thoughts on that setting you mention is system wide.

creating a GPP which sets the minencryption level to 4 would appear to only affect RDP:-

Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp

The security layer is set to negotitate.

I suppose I'll only really know if I set the TS Client setting to Require Authentication.  
The security layer set to negotiate doesn't guarentee TLS
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39624210
A lot lies not on the client but also the server as both negotiate for the common crypto suite. By default, RDP contains the following significant risks that should be addressed before placing an RDP server into production below. FIPS and TLS is just an aspect of crypto (even then BEAST attack and SSL THC attack has their past wins), I see we need a more complete picture for secure implementation

Private key disclosure - certificate use
Use of weak encryption for RDP communications - high level encryption
Use of weak encryption for RPC over RDP communications - enforce policy
Acceptance of stored login credentials on clients - use existing authentication
Enabling Network Layer Authentication - network sec layered to deter mitm and replay

http://www.fishnetsecurity.com/6labs/blog/remote-desktop-protocol-security-creating-successful-implementation
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question