FDCC Webcast: FIPS Challenges – Q & A

Author: Paul Fox, Senior Consultant


Question: Is it possible to save more than 1 Set of Recovery Keys to a single USB drive?

Answer: Yes, you can save multiple BitLocker recovery keys to single USB drive. The size of a key is 124 bytes.

 More information can be found at http://technet2.microsoft.com/WindowsVista/en/library/ce4d5a2e-59a5-4742-89cc-ef9f5908b4731033.mspx?mfr=true

Question: Is the deadline still February 1, 2008 or pushed to March 31, 2008?

Answer: Yes, the deadline is still February 1, 2008 to have tested FDCC, but SCAP reporting on compliance is not due until March 31, 2008. Please contact fdcc@nist.gov for more information.

Question: Have you seen problems with FIPS and servers Win2k using MSMQ

Answer: The Message Queue task fails to comply with Federal Information Processing Standard (FIPS) 140-2 when the computer’s operating system is configured in FIPS mode and the task uses encryption. If the Message Queue task does not use encryption, the task can run successfully.

When configuring the Message Queue task to send messages, you can use one of the encryption algorithms that are currently supported by Message Queuing, RC2 and RC4, to encrypt the message. Both of these encryption algorithms are now considered cryptographically weak compared to newer algorithms, which Message Queuing does not yet support. Therefore, you should consider your cryptography needs carefully when sending messages using the Message Queue task.

More information can be found at: http://msdn2.microsoft.com/en-us/library/ms141227.aspx & http://support.microsoft.com/kb/245030/

Question: Re; SSL certificates untrusted source – We use this type of certificate in our development and test environments, but not production. Can the option to trust the site allowed in only our dev and test environments be enabled?

Answer: Yes, in your development and test environments you can publish the SSL certificate’s Root CA’s certificate and certificate revocation list into your development’s Active Directory with the certutil (certutil –dspublish –f <RootCA>.cer RootCA & certutil –dspublish –f <RootCA>.crl) command. This will put the Root CA’s certificate into all development domain attached systems’ computer Trusted Root Certification Authorities certificate store. If you want a targeted deployment to specific workstations you can deploy via group policy Computer Settings ->Windows Settings->Security Settings->Public Key Policies->Trusted Root Certification Authorities   

Note: It is best practice to re-issue with a properly trusted certificate when moving applications from development/test to production environments.

More information can be found at http://www.microsoft.com/pki

Question: is it possible to enforce TLSv1 in advanced option in IE via AD group policy?

Answer: Yes, with Internet Explorer 6 you will need to create a custom Group Policy ADM file.



Comments (0)