none
Setting FIPS compliance on Windows 2008 R2 RDP

    Question

  • We have 2 diffent GPO for setting FIPS.

    We add Group Policy (under Computer Configuration\Windows Settings\Security Settings\LocalPolicies\Security Options) or through the "FIPS Compliant" setting in Remote Desktop Session Host Configuration. 

    This works for RDP in a TEST OU.

    FIPS compliance can be configured through the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options) or through the "FIPS Compliant" setting in Remote Desktop Session Host Configuration. The FIPS Compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers require the highest level of encryption. If FIPS compliance is already enabled through the Group Policy "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting, that setting overrides the encryption level specified in this Group Policy setting or in the Remote Desktop Session Host Configuration tool.

    But, we have legacy GPO that sets the RDP to HIGH encryption.  It overwrites the FIPS Compliant for RDP. and RDP is only HIGH encryption.

    Tuesday, January 6, 2015 2:30 PM

Answers

  • Install nmap then, Go to this link:

    http://nmap.org/svn/scripts/rdp-enum-encryption.nse

    copy the script and run from dos

    example:

    nmap -p 3389 --script rdp-enum-encryption <ip>

    replace <ip> with your server IP or DNS name. Script will display the encrption level.

    Example of script output:

    PORT     STATE SERVICE
    3389/tcp open  ms-wbt-server
    | rdp-enum-encryption:
    |   Security layer
    |     CredSSP: SUCCESS
    |     Native RDP: SUCCESS
    |     SSL: SUCCESS
    |   RDP Encryption level: High
    |     128-bit RC4: SUCCESS
    |_    FIPS 140-1: SUCCESS

    Thanks,
    MikeV
    MCSE 2012

    • Marked as answer by CJTX Thursday, January 8, 2015 2:07 PM
    Thursday, January 8, 2015 2:01 PM

All replies

  • to override the current GPO precedence you can enforce the new policy which is supposed to push FIPS configuration.

    Regards Prabhu

    Wednesday, January 7, 2015 8:42 AM
  • Install nmap then, Go to this link:

    http://nmap.org/svn/scripts/rdp-enum-encryption.nse

    copy the script and run from dos

    example:

    nmap -p 3389 --script rdp-enum-encryption <ip>

    replace <ip> with your server IP or DNS name. Script will display the encrption level.

    Example of script output:

    PORT     STATE SERVICE
    3389/tcp open  ms-wbt-server
    | rdp-enum-encryption:
    |   Security layer
    |     CredSSP: SUCCESS
    |     Native RDP: SUCCESS
    |     SSL: SUCCESS
    |   RDP Encryption level: High
    |     128-bit RC4: SUCCESS
    |_    FIPS 140-1: SUCCESS

    Thanks,
    MikeV
    MCSE 2012

    • Marked as answer by CJTX Thursday, January 8, 2015 2:07 PM
    Thursday, January 8, 2015 2:01 PM
  • And how to scan port 3392 or port 3333 for RDP ??i don't want to scan all open ports, no no, i want only port 3392 or 333 open RDP , how to do that?
    Thursday, October 20, 2016 2:12 PM