Windows Server 2008 R2 - Cryptographic Operators group issue

Question

I have a problem similar to this question: Windows 7 “Cryptographic Operators”.

I am attempting to add a cryptographic rule. When I get to the step to set the cryptographic algorithms I get an "Access is Denied" message stating I need to be a member of the Cryptographic Operators group.

The command I'm running is netsh advfirewall mainmode set rule name="TestRule" new mmkeylifetime=20mins MMSecmethods=ecdhp384:aes256-sha384

The thing is the user I'm logged in as is a member of the Cryptographic Operators group. I've also made sure I'm a member of the Network Configuration Operators group. The CMD window was run as administrator

Any advice?

Answer 1

I ran into what sounds like the same issue, only encountered when making changes to Windows Firewall's IPsec defaults. I was doing so via C# and WMI, but also tested via PowerShell, and via the UI. I was able to read from the WMI providers, and write to most of them, but when writing to a particular one (MSFT_NetIKEMMCryptoSet) I'd get "Access is Denied." Luckily, I got a more descriptive error via the UI:

The problem was that my user was in both the Administrators and Cryptographic Operators groups. I ended up in that situation because only Administrators had logon rights, and I didn't foresee there being a conflict (since I had to run my code in an Admin elevated context). Generally someone managing certificates/cryptography will be a separate user from the system administrator (secure separation of duties). There is likely a group policy that is denying Administrators access (I just haven't had time to track it down yet).

I explicitly gave the user logon rights, and removed them from the Administrators group. Once I logged out and back in with that user they no longer got "Access is Denied."