What does your mind link to with the FIPS acronym? FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’
The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files. The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022). As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files. My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.
Install DLL for STIGs for SCOM FIPS compliance on Windows
Time to mitigate!
Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’. Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480
Download files
Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link
If you downloaded from my.visualstudio.com, extract from ISO.
Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.
Download the DLL to the SCOM default folder –
Best practice is SCOM Default folder on non-system disk @
D:\Program Files\System Center\Operations Manager\Server
Update the registry on relevant servers
Registry key update is required to mitigate ‘STIGs for SCOM FIPS compliance on Windows’.
STIG states to create Enabled Key with a value of 1 in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\
Verification via RegEdit (registry editor)
PowerShell Verification:
$RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”
[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled
if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }
Example Output
PS C:\> $RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”
PS C:\> [string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled
PS C:\> $FIPSEnabled
0
PS C:\> if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }
FIPS disabled
PowerShell to set the registry key:
Blog link
$registryPath = “HKCU:\Software\ScriptingGuys\Scripts”
$Name = “Version”
$value = “1”
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null
Reboot web console servers to verify web console functionality!
This concludes resolving ‘STIGs for SCOM FIPS compliance for Windows Server’
Relevant links and documentation of ‘STIGs for SCOM FIPS compliance on Windows’
Download from blog here (Link https://kevinjustin.com/downloads/FIPS/SCOM-FIPS-dll-and-gacutil.zip)
Nathan Gau’s blog here
VisualStudio download for SCOM ISO’s here
STIG V-220942 for Windows 10
STIG V-226335 for Windows Server 2012/2012R2
STIG V-73701 for Windows Server 2016
STIG V-93511 for Windows Server 2019
STIG V-254480 for Windows Server 2022
NIST reference for hash functions https://csrc.nist.gov/projects/hash-functions
TechNet migrated forum post here
Tenable link for Server 2016 here
NIST policy for Windows Server2019 https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf
Windows runs per FIPS 140-2 Section 4.9 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation
Researching further, Microsoft certified server2016,2019 per learn articles.
Server 2016 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation
Server 2019 https://learn.microsoft.com/en-us/compliance/regulatory/offering-fips-140-2
To Counter the STIG https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/