Use FIPS Compliant Algorithms for Encryption, Signing and Hashing
One of the things I've been doing this week is learning about the Federal Desktop Core Config (FDCC).
You've probably read about it this past week. The short version is that it is a Federal government wide configuration standard for XP and Vista.
Under FISMA, you just had to have a standard and apply it. With FDCC they are all supposed to have the same standard. The FDCC falls prey to a number of fallacies. It seems the developers are tweakers, that is to say they seem to believe the more changes made the more secure the computer is. That is just never a good idea. They appear to have started with a standard to the right of the SSLF policy (Microsoft's policy for standalone really-secure computers) and only made changes where they absolutely had to.
The mistake I wanted to write about in this blog entry is the setting "Use FIPS Compliant Algorithms for Encryption, Signing and Hashing". This setting is required for both XP and Vista under the FDCC. This policy should never be used.
The policy enabled FIPS140-1. This is kind of funny since the government requires FIPS 140-2. What isn't so funny is you will be unable to use SSL. Only TLS_RSA_WITH_3DES_EDE_CBC_SHA is supported. EFS encryption will be lowered from AES to 3DES.
When applying a security hardening policy understand what the settings will do. Test first in a non-production environment. Document your explanations for any exceptions from the standard that you are following.
Categories
General0 TrackBacks
Listed below are links to blogs that reference this entry: Use FIPS Compliant Algorithms for Encryption, Signing and Hashing.
TrackBack URL for this entry: http://www.infosecblog.org/mt-tb20071121.pl/665
1 Comments
Leave a comment
Powered by Ajax Comments
As a consultant for a large government agency, we expect all agencies to request a waiver on this setting in FDCC. What I do like, which is already implemented where I'm at is the removal of the easy to reverse LM hashes for passwords.