Windows 7 Cryptographic Operators – Understanding and Setup

groupsSecuritywindows 7

This TechNet blog states that:

Cryptographic Operators: FIPS 140-2 defines a “Crypto Officer” role, which is represented by the Cryptographic Operators group in Windows, first introduced in Windows Vista SP1.

When the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting is configured in local or group policy objects, only members of the Cryptographic Operators group or the Administrators group can configure Cryptography Next Generation (CNG) settings by default. Specifically, Cryptographic Operators can edit the cryptographic settings in the IPsec policy of Windows Firewall with Advanced Security (WFAS).

I have performed the following:

  1. Enabled the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Local Security Policy. It can be found under the Security Settings -> Local Policies -> Security Options key.
  2. Created a new standard user.
  3. Added the user to the Cryptographic Operators group.

I noted that this user cannot even access Windows Firewall with Advanced Security (WFAS), without first being a member of Network Configuration Operators. Then, I noted that any member of such group can access WFAS, and create new rules under the Connection Security Rules, including IPsec rules. In other words, the user need not be a member of the Cryptographic Operators group.

I then tried another thing: I opened MMC, and added the "IP Security Policy" snap-in. Oddly, the user (which is a member of the Cryptographic Operators group) does not have access to these settings:

Access denied to IPsec settings

Could you please help me figure out the task which members of the Cryptographic Operators group (but not standard users) can perform?

Best Answer

I found the answer myself, so I'll post it here.

The TechNet article Netsh AdvFirewall MainMode Commands explains:

Typing the command mainmode at the netsh advfirewall context changes to the netsh advfirewall mainmode context, where you can view, create, and modify main mode rules that specify how IPsec negotiates main mode security associations between computers on the network. This context has no equivalent in the Windows Firewall with Advanced Security MMC snap-in.

moreover:

This netsh context is subject to the requirements of the Common Criteria mode. If enabled, then administrators can create main mode rules, but they cannot specify the mmsecmethods or mmkeylifetime parameters. Only members of the Cryptographic Operators group can set or modify those parameters. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (http://go.microsoft.com/fwlink/?linkid=147070).

I made up the following example, which clarifies the point.

  • Enable System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, as described in the question.
  • Log in as a member of the Cryptographic Operators group.
  • Open a command prompt, elevated as an administrator, and type the following command:

netsh advfirewall mainmode add rule name="TestRule" auth1=computercert auth1ca="CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" profile=domain

  • (Optional) You can check the rule just created by:

netsh advfirewall mainmode show rule name="TestRule"

  • You may now try to set the cryptographic algorithms, or key life time. However, since the system is in Common Criteria mode, the administrator is denied from accessing these options:

netsh advfirewall mainmode set rule name="TestRule" new mmkeylifetime=20min Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384

--> Access is denied.

  • Now, open a new command prompt, elevated as the current user, who is a member of the Cryptographic Operators group (important).

  • Try again the above command, which will execute successfully.

Don't forget to delete the rule just created, or it may have adverse effects on your network policies:

netsh advfirewall mainmode delete rule name="TestRule"

PS: While the netsh command prevents the administrator from changing IPsec crypto settings (in Windows Common Criteria mode), the admin can easily change the settings using the following registry key:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\Phase1CryptoSet\{GUID-of-rule}

See 2.2.5 Cryptographic Sets for more info.

Related Topic