Is it possible to enable FIPS on Debian 8?
After googling extensively I could not any reference on how to enable FIPS in Debian 8, which leads me to believe it is not possible.
In many FIPS 140-2 certificates, Windows must be placed into FIPS 140 mode as well as run in "single user mode". I am familiar with the local/group policy objects to enable FIPS mode. However, "single user mode" is almost always written in quotations (as I have done). No specific setting exists in GPO to enable this mode, and I have not found any details which indicate how to enable this mode of operation.
The best I've been able to find is that this means only one interactive user at any given time. Thus, I believe it is not a requirement that there is only one user account on the O/S, but rather a series of things that need to be configured to prevent multiple simultaneous interactive users. The only thing I can think of that might affect this is to disable incoming RDP/Remote Assistant.
What needs to be configured to prevent multiple concurrent interactive users in Windows workstations and servers?
EDIT: As most enterprises cannot allow only a single local login, I am looking to understand what constitutes restricting the environment to a single interactive session while not restricting multiple -- though not logged-in -- accounts.
I am working on trying to make sense of what is required for both PCI DSS compliance as well as FIPS compliance in relation to SSL/TLS cipher suites. I have been reading the guide here and here. However, I have not been able to find anything that states what order or priority I should list the ciphers in. I can see which ones I need to use and disable, but I assume that there is a priority that should be followed for them as well. This is primarily for Windows servers and then later I would look at performing the same to Linux servers running Apache.
Recently we enabled FIPS 140-2 Encryption Algorithms on our W2K3 server per http://chadamberg.com/drupal/IISCryptography and now my Mac RDP 2.1.1 client won't connect. I get:
"Remote Desktop Connection cannot verify the identity of the computer to which you want to connect...."
My client is set to "Always connect, even if authentication fails" but that doesn't seem to help. I'm guessing there's some incompatibility between FIPS support and Mac RDP. I can still get in via my Win7 RDP client. I tried CoRD as well, but it failed to connect.
Any ideas on how to reinstate Mac RDC to this server, or am I at the mercy of MS updating their Mac client?
I need to configure IIS 7.5 (Server 2008 R2) to be FIPS 140.2 compliant.
Specifically, this involves disabling all SSL protocols other than TLS 1.0.
I have set the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
to Enabled(DWORD) = 0 as per this KB, but SSL Labs' checker says "SSL 2.0+ Upgrade Support" is enabled. (Everything other than that and TLS 1.0 is not available, so we're getting somewhere). It also says "FIPS ready - no" - presumably because SSL 2.0+ Upgrade Support is still enabled.
serversniff.net says SSL 2.0 is turned off, and doesn't say anything about SSL 2.0+ Upgrade Support. Could this be an anomaly with SSL Labs' checker?