FIPS Compliance Issues for RMS

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Rights Management Services (RMS) version 1.0 with Service PackĀ 1 (SP1) or later is designed to work effectively in organizations that require the use of FIPS-evaluated cryptographic functionality.

Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are US Government standards that provide a benchmark for implementing cryptographic software. They specify best practices for implementing crypto algorithms, handling key material and data buffers, and working with the operating system.

RMS can be implemented as part of a FIPS-compliant system to provide a means of protecting confidential data.

  • The FIPS-evaluated cryptographic service providers restrict the functionality to: TLS_RSA_WITH_3DES_EDE_CBC_SHA. This restriction forces the security channel provider to negotiate only the stronger Transport Layer Security (TLS) 1.0 protocol. It may be necessary to configure Internet Explorer to support TLS, however many third party Web servers do not support TLS. For more information about this issue, see Knowledge Base article 811834 (http://go.microsoft.com/fwlink/?LinkId=43614).

Protect the RMS private key with either of the two Microsoft default cryptographic services providers (CSPs) if you are going to use software-based private key protection. These CSPs have completed the US Government FIPS 140-1 or FIPS 140-2 (as appropriate) evaluation process. Although it is not required, it is advisable for security critical customers to use a hardware-based CSP, or hardware security module (such as those of nCipher or IBM), to protect high-level RMS server private keys. If HSMs are used, the appropriate CSP must be selected to use the HSM. This might require a system restart. For more information about this issue, see Knowledge Base article 830690 (http://go.microsoft.com/fwlink/?LinkId=44138).

When implementing an RMS system, you should make the following selections:

  • Follow NIST guidelines for FIPS-compliant cryptography in Windows.

  • Turn on Local Security Policy for FIPS-compliant cryptography.

  • Deploy RMS with SP1 or later clients and servers in the above environment.

  • Enable the Transport Layer Security (TLS) protocol in Internet Information Services on your RMS server.

  • Enable the Transport Layer Security (TLS) protocol in Internet Explorer for your clients.

  • Enable the SQL Tabular Data Stream (TDS) protocol that is used with the Windows TLS/SSL Security Provider between SQL clients and SQL Server on the database server.

  • Configure SQL to Require TSL/SSL