Recently, 3 different customers in as many days came to us with
the same problem: LOGbinder installation would return “Error 1001” and fail to
install. We’re not sure why this suddenly became an issue mid-January 2016, but
the problem turned out to be with the Local Security Policy setting enabling “FIPS mode”, specifically the
security option called “System
cryptography: Use FIPS compliant algorithms for encryption, hashing, and
signing”.
FIPS mode has an interesting history. We thought we’d pass
along Microsoft’s TechNet post about it so you can understand how to address
this issue should it come up in your organization.
In April 2014 Microsoft posted “Why
We’re Not Recommending ‘FIPS Mode’ Anymore.” Prior to this post, Microsoft
recommended a Local Security policy setting to impose compliance with a US
Federal Information Processing Standard (FIPS) 140 requiring National Institute
of Standards and Technology (NIST) validation of an implementation of
cryptographic algorithms. When this setting was enabled a particular algorithm
that had not been submitted to NIST would not be allowed on the local system.
However, the April posting listed multiple, compelling
reasons why FIPS-140 is deficient, and even went so far as to call it
“particularly onerous”. Enabling FIPS mode in Security Policy arbitrarily
presumes that non-validated cryptographic classes are undesirable, when in fact
they may be just as good and provide much faster operations. But the problems
associated with applications using the .NET Framework are more troublesome. To
quote the article:
“If FIPS mode is enabled, the .NET
Framework disallows the use of all non-validated cryptographic classes. The
problem here is that the Framework offers multiple implementations of most
algorithms, and not all of them have been submitted for validation, even though
they are similar or identical to implementations that have been approved...
Compounding the problem is that in most cases the Managed implementations
of the various cryptographic algorithms have been available much longer than
their Cng and CryptoServiceProvider counterparts, and on top of that, the
Managed implementations tend to be significantly faster….
“Finally, the .NET Framework’s
enforcement of FIPS mode cannot tell whether any particular use of a
cryptographic class is not for security purposes and thus not in violation of
standards.”
It is in this context that we report LOGbinder will not
run if FIPS mode is enabled on the installed server. LOGbinder software
uses Microsoft’s recommended cryptography implementations; they perform well
and provide excellent protection. However, they are incompatible with FIPS
mode.
If your organization must enable FIPS mode on the server
running LOGbinder (for some reason greater than all the reasons not to do so as
described in Microsoft’s post nearly 2 years ago), then contact
our support desk using the word “FIPS” in the subject line. They can walk
you through how to manually install files in the LOGbinder installation
directory to overcome the security policy setting just for the LOGbinder
application.
Click here to read the TechNet post: http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx