INF: Using SQL Server 2000 with FIPS 140-1 Ciphers (325757)

MORE INFORMATION

When SQL Server 2000 performs protocol encryption, SQL Server 2000 uses the Schannel (TLS/SSL Security Provider) encryption functions that are built into the Microsoft Windows operating system to encrypt and to decrypt the protocol packets. To enforce FIPS 140-1 compliant encryption with SQL Server 2000, you must configure the computer that SQL Server is running on to enforce this encryption level.

NOTE: For compatibility with earlier versions of SQL Server, the Multiprotocol Net-Library continues to support its own encryption. This encryption is specified independently of the SSL encryption and is implemented by calling the Windows remote procedure call (RPC) encryption application programming interface (API). The level of RPC encryption (40-bit or 128-bit) depends on the version of the Windows operating system that is running on the application and the database computers. You cannot enable FIPS 140-1 compliant encryption when you use the Multiprotocol Net-Library.

Enforce FIPS 140-1 Compliant Cipher Suites with SQL Server 2000 on Windows 2000

To enforce FIPS 140-1 compliant cipher suites with SQL Server 2000 running on Microsoft Windows 2000, follow these steps:

1. Make sure that SQL Server 2000 Service Pack 2 (SP2) is installed.
2. Apply the hotfix from the following Microsoft Knowledge Base article so that you can use FIPS 140-1 cipher suites with SQL Server 2000:

   324914 SQL Server Connection Fails When RC4 Encryption Is Disabled

3. Follow the steps that are detailed in the following Microsoft Knowledge Base article in the "FIPS 140-1 Cipher Suites" section to force Windows 2000 to use only FIPS 140-1 cipher suites:

   245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

4. Reboot the computer to make sure that the registry changes and the encryption options are fully enabled on the computer.
5. Configure a certificate by using the typical certificate setup procedure for SQL Server to allow protocol encryption.
6. In the Server Network Utility, make sure that the Force Protocol Encryption check box is selected for the appropriate instance of SQL Server to enforce encryption for that instance.
7. Stop and restart SQL Server 2000, and then verify in the SQL Server error log that encryption is enabled.

Enforce FIPS 140-1 Compliant Cipher Suites with SQL Server 2000 on Windows XP

To enforce FIPS 140-1 compliant cipher suites with SQL Server 2000 running on Microsoft Windows XP, follow these steps:

1. Make sure that SQL Server 2000 SP2 is installed.
2. Apply the hotfix from the following Microsoft Knowledge Base article so that you can use FIPS 140-1 cipher suites with SQL Server 2000:

   324914 SQL Server Connection Fails When RC4 Encryption Is Disabled

3. In Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.
4. In the Local Security Policy Microsoft Management Console (MMC) snap-in, expand the following nodes:
   • Security Settings
   • Local Policies
   • Security Options
   
   
5. In the Policy list, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click Enable, and then click OK to enable this security option.
6. Reboot the computer to make sure that the registry changes and the encryption options are fully enabled on the computer.
7. Configure a certificate by using the typical certificate setup procedure for SQL Server to allow protocol encryption.
8. In the Server Network Utility, make sure that the Force Protocol Encryption check box is selected for the appropriate instance of SQL Server to enforce encryption for that instance.
9. Stop and restart SQL Server 2000, and then verify in the SQL Server error log that encryption is enabled.

For additional information about how to configure SQL Server 2000 to support encryption, click the article number below to view the article in the Microsoft Knowledge Base: