Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

FIPS Encryption and TLS

Posted on 2013-11-04
9
Medium Priority
?
788 Views
Last Modified: 2013-11-15
Hello

I need to apply FIPS and TLS on all Servers RDP Connections.

So I'm basically requiring

Security Layer : TLS
Encryption Layer : FIPS

But I need to under the concepts and requirements before I make the changes

---
I've read the following related article but I'm unsre if RDP Channel referes to RDP Security layer setting or overall?

http://support.microsoft.com/kb/811833




thanks
0
Comment
Question by:nico-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 39623407
The registry modifications to the schannel,crypt section limits the available encryptions available for the connections
I.e. 128 bit and higher.
Then the encryption options are limited.  Note this restriction is applicable to all SSL on the server including IIS.
0
 

Author Comment

by:nico-
ID: 39623616
Hello

Thank you for the reply but that didn't really answer the question.

I'm specifically after finding out if FIPS is dependent on TLS

Thanks
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39623639
FIPS is a set of standards.

For example, FIPS 197 details the AES cipher, whereas FIPS 140 details the security requirements for cryptography modules.

You can use FIPS-compliant features in conjunction with TLS, not only with TLS.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:nico-
ID: 39623705
Hi Craigback

would you mind sending an artcile or something that gives some more description about FIPS compliant features can be used with TLS but not exclusively.  I'm searching around at the same time as I'm using FIPS and Negotiate, but I'm looking for an article that explains the "You can use FIPS-compliant features in conjunction with TLS, not only with TLS. " bit in more detail.

Thanks
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39623824
Ok, so are you talking about FIPS 140-2 specifically, for example.

If so, then yes you must use TLS when implementing FIPS-compliant security.
0
 

Author Comment

by:nico-
ID: 39623843
Hi Craigback

Would you mind backing the comments up with references to technet articles/forum articles please ?

Thank you
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39623886
The link you posted pretty much explains everything you need to know...

From the link -
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
This policy is only advisory to applications. Therefore, if you enable the policy, it does not make sure that all applications will comply. The following of areas in the operating system will be affected by this setting:
This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on a server that is running IIS, only Web browsers that support TLS 1.0 can connect. If this setting is enabled on a client, all Schannel clients, such as Microsoft Internet Explorer, can only connect to servers that support the TLS 1.0 protocol. For a list of cipher suites supported when the setting is enabled see the Cipher Suites in Schannel topic.
The key here is "This setting causes the Schannel security package and all applications that build on the Schannel security package to negotiate only the Transport Layer Security (TLS) 1.0 protocol."

You can use other FIPS-compliant protocols and ciphers for different uses, but in this case TLS must be used, as the link explains.
0
 

Author Comment

by:nico-
ID: 39624032
I've been asking around the security section here and the thoughts on that setting you mention is system wide.

creating a GPP which sets the minencryption level to 4 would appear to only affect RDP:-

Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp

The security layer is set to negotitate.

I suppose I'll only really know if I set the TS Client setting to Require Authentication.  
The security layer set to negotiate doesn't guarentee TLS
0
 
LVL 65

Accepted Solution

by:
btan earned 1500 total points
ID: 39624210
A lot lies not on the client but also the server as both negotiate for the common crypto suite. By default, RDP contains the following significant risks that should be addressed before placing an RDP server into production below. FIPS and TLS is just an aspect of crypto (even then BEAST attack and SSL THC attack has their past wins), I see we need a more complete picture for secure implementation

Private key disclosure - certificate use
Use of weak encryption for RDP communications - high level encryption
Use of weak encryption for RPC over RDP communications - enforce policy
Acceptance of stored login credentials on clients - use existing authentication
Enabling Network Layer Authentication - network sec layered to deter mitm and replay

http://www.fishnetsecurity.com/6labs/blog/remote-desktop-protocol-security-creating-successful-implementation
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question