Azure MDC - FIPS detection false positive ?

Dufour, Francois 41 Reputation points
2024-09-20T13:38:25.54+00:00

Hi,

I've been working on hardening my servers for a few weeks now and there is a finding called "Windows Server must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. (STE)" that I do not manage to remediate.

Remediation steps are : Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".

I pushed the correct GPO settings, as explained, on my servers and when i check the registry I see that it was applied and the registry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ with value Enabled = 1.

Waited a bit but remediation did not work so I searched within and found out that the finding is actually not looking for Enabled = 1 but STE = 1 which is missing on my servers.

I tested the use of MD5 and it's correctly blocked when Enabled = 1 is configured. Having STE = 1 doesn't change anything. The only doc I found about the subject is here : https://sec-certs.org/fips/cf51156a5dc051a5/target.pdf

There are two methods to enable FIPS-Approved mode for the Kernel Mode Cryptographic Primitives Library. The first is to use FIPS Local/Group Security Policy setting or a Mobile Device Management (MDM) to enable FIPS-Approved mode for the Kernel Mode Cryptographic Primitives Library. The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”. The second method to enable FIPS-Approved mode for the Kernel Mode Cryptographic Primitives Library is to set the following registry key to 1: HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\STE. When this registry key exists and is set to 1, the selftests in Kernel Mode Cryptogaphic Primitives Library will run in compliance with FIPS 140-2 Implementation Guidance section 9.11 and the module will be in FIPS Approved mode.

For me the GPO does the job (Enabled = 1), the STE key doesn't, what am I missing ?

Best regards,

François

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,383 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.