FIPS encryption (non domain laptops)

frodooftheshire

Hi guys,

I have a client that has 8 or 9 laptops (not connected to a domain) that need to meet FIPS requirements due to a grant received from the federal government. The laptops themselves are Dell latitude laptops so I know they have a TPM. Also, from what I'm aware I can modify local group policy to enable the "Use FIPS compliant algorithms for encryption."

Does anybody know if this can be handled by intune? If not, what would the process be for backing up the recovery keys? USB?

Also, I think I read somewhere that with FIPS you had to use smart card? If true, and the laptop doesn't have a smart card reader what would we need to do there?

Anyways, just looking for any general insight on this and what to expect. From what I've learned it's a PITA.

IRJ

FIPs 140-2 has nothing to do with smart cards. It's about forcing validated cryptographic modules. Generally that is older versions of cryptographic modules and require an older kernel.

For example windows 1809 is the latest certified version. You can see the latest certified modules here. You need to have these versions set in order to turn on FIPs mode.

https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Dashrender

@IRJ said in FIPS encryption (non domain laptops):

FIPs 140-2 has nothing to do with smart cards. It's about forcing validated cryptographic modules. Generally that is older versions of cryptographic modules and require an older kernel.

For example windows 1809 is the latest certified version. You can see the latest certified modules here. You need to have these versions set in order to turn on FIPs mode.

https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

holy crap - isn't MS dumping mainstream updates for 1809 soon, if not already done? They had an 18 month lifecycle on versions for a while at least.

frodooftheshire

@IRJ Wow. So I'm guessing I would need to wipe these machines and put on Windows 10 Enterprise 1809 to go a. get compatibility and b. make sure these devices continue to get security updates? But when I check 1809 EOL is May 11 2021???

I may just have this client work directly with a third party to manage all this as I don't imagine this will come up again, and I'm not sure it's worth the time investment to really get a grasp on everything and what's involved.

IRJ

@frodooftheshire said in FIPS encryption (non domain laptops):

@IRJ Wow. So I'm guessing I would need to wipe these machines and put on Windows 10 Enterprise 1809 to go a. get compatibility and b. make sure these devices continue to get security updates? But when I check 1809 EOL is May 11 2021???

I may just have this client work directly with a third party to manage all this as I don't imagine this will come up again, and I'm not sure it's worth the time investment to really get a grasp on everything and what's involved.

Yeah it looks like it. I've not dealt with FIPs 140-2 on Windows before, only Linux.

This document is from May 2020 and shows 1809 still as the latest FIPs 140-2 certification.

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf

Before you get into a rabbit hole here, what's your actual requirement?

scottalanmiller

@Dashrender said in FIPS encryption (non domain laptops):

@IRJ said in FIPS encryption (non domain laptops):

FIPs 140-2 has nothing to do with smart cards. It's about forcing validated cryptographic modules. Generally that is older versions of cryptographic modules and require an older kernel.

For example windows 1809 is the latest certified version. You can see the latest certified modules here. You need to have these versions set in order to turn on FIPs mode.

https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

holy crap - isn't MS dumping mainstream updates for 1809 soon, if not already done? They had an 18 month lifecycle on versions for a while at least.

FIPS isn't something you do when you want security. FIPS is US gov't, the antithesis of security. FIPS is for politics, security is for business.

stacksofplates

@IRJ said in FIPS encryption (non domain laptops):

@frodooftheshire said in FIPS encryption (non domain laptops):

@IRJ Wow. So I'm guessing I would need to wipe these machines and put on Windows 10 Enterprise 1809 to go a. get compatibility and b. make sure these devices continue to get security updates? But when I check 1809 EOL is May 11 2021???

I may just have this client work directly with a third party to manage all this as I don't imagine this will come up again, and I'm not sure it's worth the time investment to really get a grasp on everything and what's involved.

Yeah it looks like it. I've not dealt with FIPs 140-2 on Windows before, only Linux.

This document is from May 2020 and shows 1809 still as the latest FIPs 140-2 certification.

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf

Before you get into a rabbit hole here, what's your actual requirement?

This is the correct approach. What's the requirement?

It takes a good amount of time and money to certify the OS so that's why the FIPS certified releases are behind. I'm not sure on Windows but with RHEL/CentOS you can enable FIPS mode on any release, it's just not "certified".