Microsoft KB Archive/325757

= INF: Using SQL Server 2000 with FIPS 140-1 Ciphers =

Article ID: 325757

Article Last Modified on 10/2/2003

-

APPLIES TO


 * Microsoft SQL Server 2000 Standard Edition

-



This article was previously published under Q325757



SUMMARY
Microsoft SQL Server 2000 can use Secure Sockets Layer (SSL) to encrypt all data that is transmitted between an application computer and an instance of SQL Server on a database computer. This article describes how to set up Microsoft SQL Server 2000 to enforce FIPS 140-1 cipher suites when SQL Server performs protocol encryption.



MORE INFORMATION
When SQL Server 2000 performs protocol encryption, SQL Server 2000 uses the Schannel (TLS/SSL Security Provider) encryption functions that are built into the Microsoft Windows operating system to encrypt and to decrypt the protocol packets. To enforce FIPS 140-1 compliant encryption with SQL Server 2000, you must configure the computer that SQL Server is running on to enforce this encryption level.

NOTE: For compatibility with earlier versions of SQL Server, the Multiprotocol Net-Library continues to support its own encryption. This encryption is specified independently of the SSL encryption and is implemented by calling the Windows remote procedure call (RPC) encryption application programming interface (API). The level of RPC encryption (40-bit or 128-bit) depends on the version of the Windows operating system that is running on the application and the database computers. You cannot enable FIPS 140-1 compliant encryption when you use the Multiprotocol Net-Library.

Enforce FIPS 140-1 Compliant Cipher Suites with SQL Server 2000 on Windows 2000
To enforce FIPS 140-1 compliant cipher suites with SQL Server 2000 running on Microsoft Windows 2000, follow these steps:  Make sure that SQL Server 2000 Service Pack 2 (SP2) is installed. Apply the hotfix from the following Microsoft Knowledge Base article so that you can use FIPS 140-1 cipher suites with SQL Server 2000:

324914 SQL Server Connection Fails When RC4 Encryption Is Disabled

 Follow the steps that are detailed in the following Microsoft Knowledge Base article in the &quot;FIPS 140-1 Cipher Suites&quot; section to force Windows 2000 to use only FIPS 140-1 cipher suites:

245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

 Reboot the computer to make sure that the registry changes and the encryption options are fully enabled on the computer. Configure a certificate by using the typical certificate setup procedure for SQL Server to allow protocol encryption. In the Server Network Utility, make sure that the Force Protocol Encryption check box is selected for the appropriate instance of SQL Server to enforce encryption for that instance. Stop and restart SQL Server 2000, and then verify in the SQL Server error log that encryption is enabled.</li></ol>

Enforce FIPS 140-1 Compliant Cipher Suites with SQL Server 2000 on Windows XP
To enforce FIPS 140-1 compliant cipher suites with SQL Server 2000 running on Microsoft Windows XP, follow these steps: <ol> Make sure that SQL Server 2000 SP2 is installed.</li> Apply the hotfix from the following Microsoft Knowledge Base article so that you can use FIPS 140-1 cipher suites with SQL Server 2000:

324914 SQL Server Connection Fails When RC4 Encryption Is Disabled

</li> In Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.</li> In the Local Security Policy Microsoft Management Console (MMC) snap-in, expand the following nodes: <ul> Security Settings</li> Local Policies</li> Security Options</li></ul>

</li> In the Policy list, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click Enable, and then click OK to enable this security option.</li> Reboot the computer to make sure that the registry changes and the encryption options are fully enabled on the computer.</li> Configure a certificate by using the typical certificate setup procedure for SQL Server to allow protocol encryption.</li> In the Server Network Utility, make sure that the Force Protocol Encryption check box is selected for the appropriate instance of SQL Server to enforce encryption for that instance.</li> Stop and restart SQL Server 2000, and then verify in the SQL Server error log that encryption is enabled.</li></ol>

For additional information about how to configure SQL Server 2000 to support encryption, click the article number below to view the article in the Microsoft Knowledge Base:

276553 HOW TO: Enable SSL Encryption for SQL Server 2000 with Certificate Server

Additional query words: FIPS 140-1 Ciphers encryption decryption

Keywords: kbinfo kbqfe KB325757

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.