← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:30218 · Disclosed 2008-02-11

Terminal Services Encryption Level is not FIPS-140 Compliant

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a dress-code violation at the vault door, not a lock that attackers can pick

Tenable plugin 30218 is a configuration/compliance check on Windows Terminal Services / Remote Desktop Services, not a software flaw with a vendor patch. It fires when the host's RDP configuration is not set to FIPS-compliant mode—typically when MinEncryptionLevel is not 4 and the system FIPS policy is not enabled. In practice, that can apply to a broad range of Windows client and server builds wherever RDP is enabled, because the condition is about how RDP is configured, not about a vulnerable version range.

For most enterprises, Tenable's LOW is still generous; the real operational severity is IGNORE in a patch-priority queue unless you are in a formal FIPS boundary. The missing setting does not by itself give an attacker code execution, authentication bypass, or session decryption. Microsoft also recommends avoiding native RDP encryption in favor of SSL/TLS, and current DISA guidance for mainstream Windows hardening emphasizes High encryption for RDP sessions rather than blindly forcing FIPS everywhere.

"This is an audit finding, not a practical intrusion path; keep it out of your patch fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an RDP listener with nmap / rdp-enum-encryption

An attacker starts by finding hosts exposing TCP/3389 and then fingerprinting RDP security posture with tooling such as Nmap NSE rdp-enum-encryption. This can reveal whether the endpoint supports native RDP security versus TLS-backed negotiation, but it does not prove the host is exploitable.
Conditions required:
  • RDP reachable from the attacker position
  • RDP service enabled and answering
Where this breaks in practice:
  • Most enterprises do not intentionally expose broad internal RDP populations to the internet
  • The exact FIPS policy state is not reliably derivable from a simple external scan when TLS or negotiation is in use
Detection/coverage: Exposure scanners will easily find TCP/3389, but they do not reliably convert this plugin condition into confirmed compromise risk.
STEP 02

Confirm the host is not in FIPS mode

To validate Tenable's condition precisely, the attacker or auditor usually needs local or administrative visibility into registry or policy state such as MinEncryptionLevel and FIPSAlgorithmPolicy. That is already post-access or privileged validation, not an initial intrusion technique.
Conditions required:
  • Registry or policy visibility on the target
  • Knowledge of RDP listener configuration
Where this breaks in practice:
  • This prerequisite already implies internal access or management-plane visibility
  • If SSL/TLS is enforced, the plugin condition becomes mostly a compliance interpretation, not a network attack surface
Detection/coverage: Credentialed assessment tools and compliance scanners catch this well; unauthenticated perimeter tooling generally does not.
STEP 03

Turn non-FIPS posture into meaningful security impact

This is where the chain falls apart. Not being in FIPS mode does not automatically weaken a modern RDP deployment into plaintext or trivial decryption; the attacker still needs a separate path such as stolen credentials, exposed legacy RDP, weak security layer choices, or man-in-the-middle positioning.
Conditions required:
  • A separate RDP weakness or credential path
  • Potentially a MITM or downgrade opportunity depending on configuration
Where this breaks in practice:
  • No known public exploit chain turns 'MinEncryptionLevel != 4' into host compromise by itself
  • Modern controls like NLA, TLS, MFA on jump hosts, NGFW policy, and exposure management usually dominate the actual risk
Detection/coverage: There is no meaningful exploit signature specific to this finding because it is not an exploit primitive on its own.
STEP 04

Actual impact is usually audit failure, not breach

In real environments, the concrete outcome is almost always a compliance exception for organizations that require FIPS-validated cryptographic operation. If you are not in that compliance scope, this belongs in a hardening backlog—not in emergency patch governance.
Conditions required:
  • Formal FIPS/CMMC/CJIS/FedRAMP-style requirement, or customer contract that mandates validated crypto
Where this breaks in practice:
  • Outside regulated enclaves, business impact is weak
  • There is no vendor patch or version-specific emergency to schedule
Detection/coverage: Compliance platforms and benchmark audits catch this; EDR and NDR are not the right tools for it.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo evidence of active exploitation as a standalone intrusion vector. This is a configuration/compliance check, not a tracked CVE exploit path.
Proof-of-concept availabilityNo exploit PoC to compromise a host from this condition alone. Enumeration tooling like Nmap rdp-enum-encryption can inspect RDP posture, but that is reconnaissance, not weaponization.
EPSSN/Ano CVE, so no FIRST EPSS record applies.
KEV statusN/A — not a CVE and not present in CISA KEV.
Vendor scoreTenable marks it Low, manually scored 2.6 with vector AV:N/AC:H/Au:N/C:P/I:N/A:N. That's already soft, but still too security-centric for what is usually a compliance-only issue.
Affected scopeConfiguration-based, not version-based. Any Windows system with Terminal Services / RDP enabled and not configured for FIPS-compliant RDP operation can trigger the plugin.
Fixed version / fix typeNo patch version exists. Remediation is a policy/configuration change: set MinEncryptionLevel=4 or enable the Windows FIPS policy *if* your compliance scope requires it.
Modern hardening contextMicrosoft says native RDP encryption is not recommended versus SSL/TLS, and DISA Windows guidance for RDP session encryption commonly targets High level rather than forcing FIPS in every deployment.
Exposure telemetryPopulation sizing is poor. Internet telemetry can tell you a host exposes RDP, but not reliably whether this exact FIPS setting is absent, especially when TLS/Negotiate is used. That sharply limits external exploitability claims.
Disclosure / sourceTenable plugin published 2008-02-11. This is longstanding hardening/compliance logic, not a newly disclosed software defect.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to IGNORE (0.6/10)

The decisive factor is that this finding does not create a practical compromise path by itself; it measures whether RDP is running in a FIPS-validated mode, not whether attackers can break into the box. In real fleets, the true risk is driven by RDP exposure, TLS/NLA posture, and credential controls, not by this single compliance toggle.

HIGH Exploitability reassessment for mainstream enterprise environments
MEDIUM Compliance impact because it depends on whether the host sits inside a formal FIPS-required boundary

Why this verdict

  • Requires the wrong problem statement: an attacker does not win by discovering MinEncryptionLevel != 4; they still need a separate RDP weakness, credential path, or MITM position.
  • Reachable population is narrower than the plugin implies: the condition is not reliably externally observable when TLS/Negotiate is used, so internet-wide exploit scaling is weak.
  • Modern controls dominate the risk: NLA, TLS, MFA on jump hosts, segmentation, and exposure management are what materially change breach probability here—not the FIPS flag.

Why not higher?

There is no public evidence that this setting alone yields remote code execution, auth bypass, or deterministic session compromise. The attack chain needs additional prerequisites that are both environment-specific and usually more important than this finding itself.

Why not lower?

It is still worth recording because some regulated environments genuinely require FIPS-validated operation, and the finding can represent a real audit gap there. Also, if a host is using weak or legacy RDP security settings more broadly, this plugin can be a hint that the RDP baseline deserves review.

05 · Compensating Control

What to do — in priority order.

  1. Enforce TLS and NLA for RDP — Prioritize the controls that change breach likelihood: require TLS-backed RDP where supported, require NLA, and keep RDP behind managed access paths. For an IGNORE verdict there is no vulnerability SLA action, so handle this as baseline hardening rather than emergency remediation.
  2. Restrict RDP exposure — Limit 3389 to jump hosts, VPN, bastions, or administrative subnets and remove unnecessary direct exposure. This addresses the real attack surface immediately, whereas FIPS-only tuning mostly addresses audit language.
  3. Route FIPS-only gaps to the compliance owner — If the asset is in a formal FIPS boundary, track this under your configuration-compliance program and validate the exact approved mode required by the platform's security policy. That keeps patch governance focused on exploitable defects while still closing audit findings.
What doesn't work
  • Turning on Windows FIPS mode everywhere just to silence the plugin; that can create compatibility issues and still does not solve exposed-RDP or stolen-credential risk.
  • Treating this as a patching emergency; there is no vendor security patch or version-specific fix to roll out.
  • Assuming RDP exposure alone proves this finding is exploitable; the plugin checks a configuration state, not a ready-made remote exploit path.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your normal remote administration channel, for example: powershell -ExecutionPolicy Bypass -File .\check-rdp-fips.ps1. Standard local read access to the registry is usually enough; administrator rights are only needed if your environment restricts those keys.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# check-rdp-fips.ps1

# Verifies the condition behind Tenable plugin 30218.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Get-RegDword {
    param(
        [string]$Path,
        [string]$Name
    )
    try {
        $item = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop
        return [int]$item.$Name
    }
    catch {
        return $null
    }
}

$policyTsPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
$liveTsPath   = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'
$fipsPath     = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy'
$rdpCorePath  = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'

# Prefer policy values when present because they override local settings.

$policyMin = Get-RegDword -Path $policyTsPath -Name 'MinEncryptionLevel'
$liveMin   = Get-RegDword -Path $liveTsPath   -Name 'MinEncryptionLevel'
$effMin    = if ($null -ne $policyMin) { $policyMin } else { $liveMin }

$policySec = Get-RegDword -Path $policyTsPath -Name 'SecurityLayer'
$liveSec   = Get-RegDword -Path $liveTsPath   -Name 'SecurityLayer'
$effSec    = if ($null -ne $policySec) { $policySec } else { $liveSec }

$fipsEnabled    = Get-RegDword -Path $fipsPath    -Name 'Enabled'
$denyTsConn     = Get-RegDword -Path $rdpCorePath -Name 'fDenyTSConnections'

# Helpful labels

$secLabel = switch ($effSec) {
    0 { 'RDP' }
    1 { 'Negotiate' }
    2 { 'SSL/TLS' }
    default { 'Unknown/Unset' }
}

Write-Host ('Effective SecurityLayer    : {0} ({1})' -f $effSec, $secLabel)
Write-Host ('Effective MinEncryptionLevel: {0}' -f $effMin)
Write-Host ('System FIPS policy enabled  : {0}' -f $fipsEnabled)
Write-Host ('RDP connections disabled    : {0}' -f $denyTsConn)

# If RDP is disabled, the plugin condition is not operationally relevant.

if ($denyTsConn -eq 1) {
    Write-Host 'UNKNOWN - RDP is disabled on this host; plugin applicability is operationally moot.'
    exit 2
}

# Tenable-style pass condition: FIPS policy enabled or MinEncryptionLevel explicitly set to 4.

if (($fipsEnabled -eq 1) -or ($effMin -eq 4)) {
    Write-Host 'PATCHED - Host is configured for FIPS-compliant RDP operation.'
    exit 0
}

# If TLS is enforced and encryption is High or better, the plugin may still fail,

# but the practical risk is compliance-only rather than exploitability.

if (($effSec -eq 2) -and ($effMin -ge 3)) {
    Write-Host 'UNKNOWN - TLS/High RDP is configured; not FIPS-compliant by this check, but practical security risk is not demonstrated.'
    exit 2
}

Write-Host 'VULNERABLE - Host is not configured for FIPS-compliant RDP encryption per plugin 30218.'
exit 1
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not put this in the patch fire drill. Close it in the vulnerability queue as a non-exploitable configuration/compliance finding, document that there is no noisgate mitigation SLA or noisgate remediation SLA for an IGNORE verdict, and only open a separate hardening/compliance task if the affected systems sit inside a formal FIPS-required enclave; otherwise spend your time on exposed RDP, TLS/NLA enforcement, and credential-path controls instead.

Sources

  1. Tenable Nessus Plugin 30218
  2. Microsoft Learn - RemoteDesktopServices Policy CSP
  3. Microsoft Learn - Troubleshoot establishing Terminal Services session
  4. Microsoft Learn - System cryptography: Use FIPS compliant algorithms
  5. Microsoft Learn - Windows FIPS 140 validation
  6. Microsoft Learn - Remote Assistance connection with FIPS encryption issue
  7. STIG Viewer - Remote Desktop Services encryption level finding
  8. NIST CSRC - Cryptographic Module Validation Program
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.