How to changeTerminal Services Encryption Level to FIPS-140 Compliant

Ansar Salim 1 Reputation point
2020-12-08T22:52:43.363+00:00

I need to fix Vulnerability 'Terminal Services Encryption Level is not FIPS-140 Compliant' on my Windows servers. What is the way to do that? any issues will happen is I change RDP to FIPS compliant.?

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,234 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oner Ziya Bas 81 Reputation points
    2020-12-08T22:56:42.353+00:00

    Hi,

    You can use group policy or registry key on the terminal server to set the Encryption Level.

    Group Policy:

    Computer Configuration\Windows Settings\Security Settings\Security Options - System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

    Registry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services]
    “MinEncryptionLevel” REG_DWORD set the value to 4
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp]
    “MinEncryptionLevel” REG_DWORD set the value to 4

    For your reference
    https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

    Thanks,

    0 comments
  2. Jenny Yan-MSFT 9,321 Reputation points
    2020-12-09T09:40:16.387+00:00

    Hi,
    1.May I know if there is any errors or problems that force you to change the Encryption of RDP?

    2.Per the blog below, it mentioned that by default, Remote Desktop connections are encrypted at the highest level of security available (128-bit).
    Tip: Secure RDS (Remote Desktop Services) Connections with SSL
    https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff458357(v=msdn.10)?redirectedfrom=MSDN

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    0 comments