How to changeTerminal Services Encryption Level to FIPS-140 Compliant

Question

I need to fix Vulnerability 'Terminal Services Encryption Level is not FIPS-140 Compliant' on my Windows servers. What is the way to do that? any issues will happen is I change RDP to FIPS compliant.?

Answer 1

Hi,

You can use group policy or registry key on the terminal server to set the Encryption Level.

Group Policy:

Computer Configuration\Windows Settings\Security Settings\Security Options - System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services]
“MinEncryptionLevel” REG_DWORD set the value to 4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp]
“MinEncryptionLevel” REG_DWORD set the value to 4

For your reference
https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Thanks,

Answer 2

Hi,
1.May I know if there is any errors or problems that force you to change the Encryption of RDP?

2.Per the blog below, it mentioned that by default, Remote Desktop connections are encrypted at the highest level of security available (128-bit).
Tip: Secure RDS (Remote Desktop Services) Connections with SSL
https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff458357(v=msdn.10)?redirectedfrom=MSDN

---

Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny