Azure MDC - FIPS detection false positive ?
Hi,
I've been working on hardening my servers for a few weeks now and there is a finding called "Windows Server must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. (STE)" that I do not manage to remediate.
Remediation steps are : Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".
I pushed the correct GPO settings, as explained, on my servers and when i check the registry I see that it was applied and the registry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ with value Enabled = 1.
Waited a bit but remediation did not work so I searched within and found out that the finding is actually not looking for Enabled = 1 but STE = 1 which is missing on my servers.
I tested the use of MD5 and it's correctly blocked when Enabled = 1 is configured. Having STE = 1 doesn't change anything. The only doc I found about the subject is here : https://sec-certs.org/fips/cf51156a5dc051a5/target.pdf
There are two methods to enable FIPS-Approved mode for the Kernel Mode Cryptographic Primitives Library. The first is to use FIPS Local/Group Security Policy setting or a Mobile Device Management (MDM) to enable FIPS-Approved mode for the Kernel Mode Cryptographic Primitives Library. The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”. The second method to enable FIPS-Approved mode for the Kernel Mode Cryptographic Primitives Library is to set the following registry key to 1: HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\STE. When this registry key exists and is set to 1, the selftests in Kernel Mode Cryptogaphic Primitives Library will run in compliance with FIPS 140-2 Implementation Guidance section 9.11 and the module will be in FIPS Approved mode.
For me the GPO does the job (Enabled = 1), the STE key doesn't, what am I missing ?
Best regards,
François