search

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.84k stars 143 forks source link

[Suggestion]: Adding an option to increase the minimum encryption level of terminal to the highest level 4 FIPS compliant. #357

Closed agpt8 closed 3 weeks ago

agpt8 commented 1 month ago

Are you sure the Security measure is not already implemented?

Please explain your new Security measure suggestion

The encryption level of terminal is defined in this post (this is slightly old, but the settings are still there, and the levels are set between 2 and 3, i.e., Client Compatible and High). The following registry tweaks set the levels to FIPs Compliant which ensures that only the highest and most secure algorithms are used to encrypt the connection.

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services] “MinEncryptionLevel” REG_DWORD set the value to 4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp] “MinEncryptionLevel” REG_DWORD set the value to 4

This also necessitates that FIPs mode is enabled. I will be adding a separate suggestion for this one and will go into more detail on why this has benefits.

There might be other registry and GPO settings that may allow us to increase minimum encryption levels, but this is a start. The inspiration for this comes from this question and answer: https://learn.microsoft.com/en-us/answers/questions/191055/how-to-changeterminal-services-encryption-level-to

HotCakeX commented 3 weeks ago

As explained in the other issue, and since this requires FIPS mode, it won't improve security of the system. Unless there is some documentation or proof that says:

  1. FIPs mode will allow new secure cipher suites to be used.
  2. The old obsolete cipher suites and algorithms won't be in use, the same ones that the Harden Windows Security module disables.

Please feel free to prove me wrong and reopen this issue whenever you have those information.

The module enforces NIST cipher suites already and prioritizes them and disables old and insecure algorithms, all happening in the TLS category, that's actually better than what FIPS mode would provide, so FIPS mode would be a downgrade.

Also, a bit confusing since on the other issue you were suggesting not to use NSA made ciphers and algorithms but FIPs explicitly mandates use of those federally approved ciphers and algorithms and they are from the same organization, NIST.