[Suggestion]: Consider enabling FIPs mode and requiring strong key protection for user key stores.

[agpt8]

Are you sure the Security measure is not already implemented?

• [X] Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡

Please explain your new Security measure suggestion

I opened a discussion a while back about having FIPs enabled or not. While it was concluded that FIPS mode is not really necessary, I now think that it is still beneficial to have it enabled.

Along with FIPS mode, enabling System Cryptography: Force strong key protection for user keys stored on the computer -> User must enter password each time they use a key (found at GPO > Computer config > Windows Settings > Security settings > Local Policies > Security options > System Cryptography: Force strong key protection for user keys stored on the computer) would also enhance overall security of the system.

EFS (Encrypted File System) usually does not require users to enter a password when creating a cert to protect their files and folders. Enabling the above two would require that they enter a password while they export their cert the first time which in turn would require them to enter their password to access it.

Bitlocker provides good protection but only when the system is turned off and/or locked. EFS helps protect user's files/folders while they are working as they are essentially locked unless the user unlocks them for access.

Also beneficial to issue #357

[HotCakeX]

Since that conversation that we had in that discussion post, has anything changed to prove the points mentioned there wrong or make them invalid now?

I wouldn't really recommend relying on EFS for encryption. Try encrypting a picture with EFS then send it over to Discord to someone else, they will be able to view it just fine without having to decrypt anything.

For file encryption there is Personal Data Encryption (PDE)

I'll test the policies related to requiring password for certificates, have to see how the WDACConfig module will work with it too.

[agpt8]

I dont think anything has changed since that discussion, or any points are invalid. FIPS would atleast make sure that stronger algorithms are used wherever applicable even if a user does not configure certain categories like TLS or networking or other related categories.

PDE requires Entra joined PCs and the user has to use Windows Hello for business. Moreover, if they use passwords (lengthy and complex ones) or security key, they cannot access PDE content.

On the other hand, certs are supported on security keys and passwords are default as well. PDE has very specific and windows centric requirements which are not supported or applicable on majority of the PCs and is still very new. EFS has been around for a while and available on all regular windows PCs (not sure if Pro is required or not, but again, this module requires Pro and up anyways so....)

[HotCakeX]

I dont think anything has changed since that discussion, or any points are invalid. FIPS would atleast make sure that stronger algorithms are used wherever applicable even if a user does not configure certain categories like TLS or networking or other related categories.

PDE requires Entra joined PCs and the user has to use Windows Hello for business. Moreover, if they use passwords (lengthy and complex ones) or security key, they cannot access PDE content.

On the other hand, certs are supported on security keys and passwords are default as well. PDE has very specific and windows centric requirements which are not supported or applicable on majority of the PCs and is still very new. EFS has been around for a while and available on all regular windows PCs (not sure if Pro is required or not, but again, this module requires Pro and up anyways so....)

---

Well since as you said nothing has changed from that conversation, there is no point in enabling FIPS mode.

So just to go over it again, this is the description of FIPS mode enforcement policy

System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

For Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista family and DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System.

For Remote Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

For BitLocker, this policy needs to be enabled before any encryption key is generated. Recovery passwords created when this policy is enabled are incompatible with BitLocker on Windows 8, Windows Server 2012, and earlier operating systems. If this policy is applied to computers running operating systems prior to Windows 8.1 and Windows Server 2012 R2, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used for those computers instead.

Default: Disabled.

Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions.

It's enforcing insecure ciphers that are being disabled by the module, so that's an obvious conflict. It doesn't include newer algorithms such as SHA-3, post-quantum cipher suites and others. Enabling that policy doesn't seem to improve security and can actually have adverse effect.

You can still use EFS if you want. In my experience it wasn't useful and didn't protect my files the way i expected. But you don't need FIPS to use it.

I'm adding this policy in the upcoming version of the module

System Cryptography: Force strong key protection for user keys