Does Solarwinds NPM turn off FIPS?

We recently installed Solarwinds NPM to a pre-hardened Windows 2012 R2 installation. This pre-hardened image was already configured to be FIPS compliant. After installing NPM we performed STIG compliance checks on the machine. We discovered that there were two checklist items in the Microsoft Dot Net Framework 4.0 STIG checklist that it failed. The first was checklist item v-30926. This one has us perform the following check:

"Examine the .NET CLR configuration files from the vulnerability discussion to find the runtime element and then the "enforceFIPSPolicy" element.

Example:

</runtime>

</configuration>

By default, the .NET "enforceFIPSPolicy" element is set to "true".

If the "enforceFIPSPolicy" element does not exist within the "runtime" element of the CLR configuration, this is not a finding.

If the "enforceFIPSPolicy" element exists and is set to "false", and the IAO has not accepted the risk and documented the risk acceptance, this is a finding. "

We discovered that the enforceFIPSPolicy parameter had been changed to false in the Common Language Runtime configuration. Does the SolarWinds installation make this change?

The second checklist item that it failed was v-30968. This checklist item has us perform the following check:

"Open Windows explorer and search for *.exe.config.

Search each config file found for the "loadFromRemoteSources" element.

If the loadFromRemoteSources element is enabled

("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding."

We discovered that the Orion.ActiveDiagnostics.exe.config file has the "loadFromRemoteSources enabled = true" set. Is this typical as well?

Thanks!

Find more posts tagged with

disa_stig_compliance_reports_checklist

Accepted answers

All comments

aLTeReGo

Is it possible that a new version of .NET was installed and that caused the configuration to revert?

jbrown8380

Attempting to revive this thread. I know that it's an old thread but we've been able to get by for the last year or so without working this. But I'm receiving pressure again to get it fixed.

So if I'm understanding your response correctly this means that SolarWinds NPM itself does not change these values. However; in the process of installing, or updating, .NET those values can get reverted back to their defaults?

If that's true then it seems to me that I just need to define a .NET post-installation or post-update step to go back and reapply those values. Does it, in any way, hurt SolarWinds NPM to have those properties changed?

aLTeReGo

Another option is to apply a group policy to the machine which will ensure that FIPS mode is always applied to the machine, even if it's reset by another application.

jbrown8380

If I run the following command in PowerShell then I see what looks like maybe 60 files that are all SolarWinds/Orion config files with the 'enforceFIPSPolicy' element set to 'false'.

Get-ChildItem –path c:\ –include*.config -Recurse | Select-String –pattern enforceFIPPolicy

I don't believe installing a new version of .NET would edit the SolarWinds config files and change that specific element from 'true' to 'false'. So the next question then is, if I were to edit every single one of those SolarWinds config files and change that element to 'true', would I break SolarWinds?

aLTeReGo

To enable FIPS Mode in Orion follow the steps outlined in the KB article below

Enable FIPS for compliance - SolarWinds Worldwide, LLC. Help and Support

jbrown8380

Yeah, I think this might be the way to go..maybe. So I went ahead and modified each of those config files (found a script to do it) and changed the enforceFIPSPolicy element to true and then rebooted. When it came back up I tried to access SolarWinds again and it couldn't talk to the database anymore. So I'm thinking that those have to be set to false in order for SolarWinds to function at all. That alone might be enough to justify a waiver.

On the other hand, the STIG item also discusses the .NET CLR (Common Language Runtime) configuration which is supposed to set those values system wide. It refers to the same enforceFIPSPolicy element found in the machine.config files located in c:\Windows\Microsoft.NET\Framework[64]\v4.0.30319\Config directory. It says that if the element doesn't exist in that file then it's not considered a finding. I'm not seeing that element in there and so I think I might be able to justify this checklist item that way.

If I apply a group policy that forces FIPS mode then I wonder if I'll run into the same problem where it won't be able to talk to the database anymore. I'll give that a try and see what that does for me.

Thanks aLTeReGo for helping me out with this.