This TechNet blog states that:
Cryptographic Operators: FIPS 140-2 defines a “Crypto Officer” role, which is represented by the Cryptographic Operators group in Windows, first introduced in Windows Vista SP1.
When the "
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting is configured in local or group policy objects, only members of the Cryptographic Operators group or the Administrators group can configure Cryptography Next Generation (CNG) settings by default. Specifically, Cryptographic Operators can edit the cryptographic settings in the IPsec policy of Windows Firewall with Advanced Security (WFAS).
I have performed the following:
- Enabled the "
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Local Security Policy. It can be found under theSecurity Settings -> Local Policies -> Security Optionskey. - Created a new standard user.
- Added the user to the
Cryptographic Operatorsgroup.
I noted that this user cannot even access Windows Firewall with Advanced Security (WFAS), without first being a member of Network Configuration Operators. Then, I noted that any member of such group can access WFAS, and create new rules under the Connection Security Rules, including IPsec rules. In other words, the user need not be a member of the Cryptographic Operators group.
I then tried another thing: I opened MMC, and added the "IP Security Policy" snap-in. Oddly, the user (which is a member of the Cryptographic Operators group) does not have access to these settings:
Could you please help me figure out the task which members of the Cryptographic Operators group (but not standard users) can perform?
I found the answer myself, so I'll post it here.
The TechNet article Netsh AdvFirewall MainMode Commands explains:
moreover:
I made up the following example, which clarifies the point.
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, as described in the question.Cryptographic Operatorsgroup.netsh advfirewall mainmode add rule name="TestRule" auth1=computercert auth1ca="CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" profile=domainnetsh advfirewall mainmode show rule name="TestRule"netsh advfirewall mainmode set rule name="TestRule" new mmkeylifetime=20min Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384--> Access is denied.
Now, open a new command prompt, elevated as the current user, who is a member of the
Cryptographic Operatorsgroup (important).Try again the above command, which will execute successfully.
Don't forget to delete the rule just created, or it may have adverse effects on your network policies:
netsh advfirewall mainmode delete rule name="TestRule"PS: While the
netshcommand prevents the administrator from changing IPsec crypto settings (in Windows Common Criteria mode), the admin can easily change the settings using the following registry key:HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\Phase1CryptoSet\{GUID-of-rule}See 2.2.5 Cryptographic Sets for more info.
Windows firewall MMC
I had a similar problem where I couldn't add a key exchange method (main mode) in the custom IPSEC settings of the Windows Firewall. The error was
My workaround however was, as crazy as it sounds, to open the local security policy and click on the "Windows Firewall Properties". You can change settings here that you cannot change via the "Windows Firewall with Advanced Security" application (Windows Server 2012R2)