LOGbinder Blog

Updates, Tips and News   RSS Feed  

«  Audit log truncation and ... | Sensitive Information is ... »

FIPS Mode and LOGbinder software

Mon, 25 Jan 2016 14:21:48 GMT

Recently, 3 different customers in as many days came to us with the same problem: LOGbinder installation would return “Error 1001” and fail to install. We’re not sure why this suddenly became an issue mid-January 2016, but the problem turned out to be with the Local Security Policy setting enabling “FIPS mode”, specifically the security option called “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”.

FIPS mode has an interesting history. We thought we’d pass along Microsoft’s TechNet post about it so you can understand how to address this issue should it come up in your organization.

In April 2014 Microsoft posted “Why We’re Not Recommending ‘FIPS Mode’ Anymore.” Prior to this post, Microsoft recommended a Local Security policy setting to impose compliance with a US Federal Information Processing Standard (FIPS) 140 requiring National Institute of Standards and Technology (NIST) validation of an implementation of cryptographic algorithms. When this setting was enabled a particular algorithm that had not been submitted to NIST would not be allowed on the local system.

However, the April posting listed multiple, compelling reasons why FIPS-140 is deficient, and even went so far as to call it “particularly onerous”. Enabling FIPS mode in Security Policy arbitrarily presumes that non-validated cryptographic classes are undesirable, when in fact they may be just as good and provide much faster operations. But the problems associated with applications using the .NET Framework are more troublesome. To quote the article:

“If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved...

Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster….

“Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards.”

It is in this context that we report LOGbinder will not run if FIPS mode is enabled on the installed server. LOGbinder software uses Microsoft’s recommended cryptography implementations; they perform well and provide excellent protection. However, they are incompatible with FIPS mode.

If your organization must enable FIPS mode on the server running LOGbinder (for some reason greater than all the reasons not to do so as described in Microsoft’s post nearly 2 years ago), then contact our support desk using the word “FIPS” in the subject line. They can walk you through how to manually install files in the LOGbinder installation directory to overcome the security policy setting just for the LOGbinder application.

Click here to read the TechNet post: http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx

Comments disabled

powered by Bloget™