Windows 7 "Cryptographic Operators"

I found the answer myself, so I'll post it here.

The TechNet article Netsh AdvFirewall MainMode Commands explains:

Typing the command mainmode at the netsh advfirewall context changes to the netsh advfirewall mainmode context, where you can view, create, and modify main mode rules that specify how IPsec negotiates main mode security associations between computers on the network. This context has no equivalent in the Windows Firewall with Advanced Security MMC snap-in.

moreover:

This netsh context is subject to the requirements of the Common Criteria mode. If enabled, then administrators can create main mode rules, but they cannot specify the mmsecmethods or mmkeylifetime parameters. Only members of the Cryptographic Operators group can set or modify those parameters. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (http://go.microsoft.com/fwlink/?linkid=147070).

I made up the following example, which clarifies the point.

  • Enable System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, as described in the question.
  • Log in as a member of the Cryptographic Operators group.
  • Open a command prompt, elevated as an administrator, and type the following command:

netsh advfirewall mainmode add rule name="TestRule" auth1=computercert auth1ca="CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" profile=domain

  • (Optional) You can check the rule just created by:

netsh advfirewall mainmode show rule name="TestRule"

  • You may now try to set the cryptographic algorithms, or key life time. However, since the system is in Common Criteria mode, the administrator is denied from accessing these options:

netsh advfirewall mainmode set rule name="TestRule" new mmkeylifetime=20min Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384

--> Access is denied.

  • Now, open a new command prompt, elevated as the current user, who is a member of the Cryptographic Operators group (important).

  • Try again the above command, which will execute successfully.


Don't forget to delete the rule just created, or it may have adverse effects on your network policies:

netsh advfirewall mainmode delete rule name="TestRule"


PS: While the netsh command prevents the administrator from changing IPsec crypto settings (in Windows Common Criteria mode), the admin can easily change the settings using the following registry key:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\Phase1CryptoSet\{GUID-of-rule}

See 2.2.5 Cryptographic Sets for more info.


Windows firewall MMC

I had a similar problem where I couldn't add a key exchange method (main mode) in the custom IPSEC settings of the Windows Firewall. The error was

Access denied while saving settings. You must be a member of the Cryptographic Operators security group to change these settings.

My workaround however was, as crazy as it sounds, to open the local security policy and click on the "Windows Firewall Properties". You can change settings here that you cannot change via the "Windows Firewall with Advanced Security" application (Windows Server 2012R2)