<< SyntaxHighlighter Extension for BlogEngine.NET | Creepy Crawlers and Files Downloaded >>

FIPS Compliant Algorithms and IIS

by Chris 5/3/2008 10:18:40 PM

Working with my customer I ran into an interesting issue that I think is worth sharing with everyone (not to imply that everyone is reading my blog). I work with the government and we have been forced to configure our web servers with the FIPS compliant algorithms. If you aren't familiar with this setting you can find it in the secpol.msc console:

It's interesting to note that Microsoft's FIPS compliant algorithm is using 3DES, which is theoretically less secure than the AES (Rijndael) algorithm that Microsoft uses by default. Nonetheless we had to enable the FIPS settings on our web servers. After making this change we didn't immediately notice any issues. Unfortunately we did run into an issue the first time we had to switch the debug setting to True. After switching on the debug mode we were unable to complete a connection to the web servers. Nothing obvious was displayed to help troubleshoot why we were experiencing an issue.

It was only after spending many hours did we discover that IIS debug mode doesn't natively support FIPS mode. What this means is that your web sites will run just fine when you have FIPS compliant algorithms configured until you enable debug mode. A little more searching and I ran across an KB Support Article that explained more about what is happening. Another interesting article talks about validation of view state data that might be worth a read; Though this last article isn't directly related to the FIPS issue I am talking about it will help you understand how the view state data is handled.

There is, however, a possible workaround that I have tried yet, though I plan on testing it soon and will update this entry with the results. According to the KB article mentioned above I can change the default encryption used for validating the view state data.

<machineKey validationKey="AutoGenerate,IsolateApps" 
            decryptionKey="AutoGenerate,IsolateApps" 
            validation="3DES" 
            decryption="3DES"/>

Hopefully this will allow us to enable debug mode for those times when it's critical to debug our production web servers.

fips, iis, security

Security | Technology

So you think you know about technology? I stumbled on a thread talking about the use of Microsoft Vista in the "Terminator: The Sarah Conno...Active Directory for BlogEngine.NET Membership ProviderSo you want to use Active Directory as your Membership Provider for BlogEngine.Net? Well you're in ...OpenSSL Vulnerability (USN-612-1) Exposed An interesting article was posted on Technology Review that outlined a vulnerability with OpenSSL.&...

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
Country Country flag

b i u quote

Notify me when new comments are added

Powered by BlogEngine.NET Theme by Mads Kristensen Hosted by 1and1 Hosting Sign in
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way. © 2008 Chris Blankenship