Enable FIPS 140-2 Compliance in SQL Server
نوشته شده توسط : jiajiasnow

So, you'll want to enable FIPS 140-2 cryptography…

You can work in a market that requires you tp utilize FIPS-compliant encryption, or your work in government and are required to stick to the Defense Computer Agency (DISA) Security Technical Implementation Guidelines (STIGs,) maybe boss heard somewhere that FIPS is a popular thing to have. Regardless, you'll have questions like following:

What is FIPS 140-2?
How need to enable it in SQL Server?
How will it really impact my SQL Servers functioning, will I need to re-write things?
Will it break anything from my SQL Server environment?

This short article try to answer those questions and in some cases providing facts on where to find more updates.
FIPS 140-2

First up, precisely what FIPS 140-2? FIPS stands for "Federal Information Processing Standard". 140-2 is usually a statement released specifying which encryption and hashing algorithms should be considered if a item of software such as an operating system or database application desires to be listed to "FIPS 140-2 certified" or "FIPS 140-2 compliant." SQL Server can be viewed as compliant Should the operating system as to what it runs is certified and configured to enforce FIPS 140-2 compliance. Per Microsoft, this involves Windows turn out to be Windows Server 2003 or newer, or Microsoft windows or newer (about the desktop.)
Enable FIPS

How would you enable FIPS in SQL Server? Be thought of as the easiest question. You don't. Instead, it's essential to enable FIPS in your operating system. You are able to accomplish this through the "Local Security Policy" MMC during the "Local Policies -> Security Options" section. Choose the option "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." Set this to Enabled and reboot. Or, if you're within domain environment, this setting might well be controlled through Group Policy Objects, in which case you'll need to chat to your Domain Administrator team about setting it up changed.

Per Microsoft, when you enable that above setting, SQL Server will become operating in FIPS compliant mode without the need of changes to begin the process up parameters required. The wide ranging impacts on SQL Server are minimal. You have a small performance hit in many processes which enable less strong encryption. If you use service broker with RC4 encryption, the service will not likely start while you configure it to create use of AES instead. Any areas in SQL that permit you to choose the encryption procedure to use, in case non-FIPS algorithm is selected, SQL Server will not use encryption the least bit.

As for other features you may be using in SQL, like the SSIS or SSRS, there are numerous potential impacts to look out for. If you are using the SSIS option "UseEncryption" and offer it set to True, you can find errors stating that the "available encryption is incompatible with FIPS compliance." This tends to result in no encryption among the message process. You might even get a "System.InvalidOperationException" error an internet to execute an SSIS package. This is often resolved by installing the most current Service Pack for SQL Server 2012, SQL Server 2014, or SQL Server 2016.

By using SSRS, now things get interesting. Once you enable FIPS as well as have an SSRS instance (or instances,) SSRS might start throwing errors through the Report Manager screen or when calling a survey from the Reports URL. The error may be an HTTP 500, a "System.InvalidOperationException," or even just a blank screen. Resolving this implies modifying the internet.config file for the SSRS instance. The online world.config file are located in "<system-drive>\Program Files\Microsoft SQL Server\MSRS<version>.<instance>\Reporting Services\ReportManager\" Obviously, before editing the file it is very important make a copy of this. The .config file is unquestionably an XML document which happens to be edited inside text editor of. Look for the section <system.web> and add the following in comparison with section (I add it even on a new line shortly after the <system.web> to protect yourself from potentially adding it for the wrong place)

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

Inside of my testing for this on an up-to-date SQL Server 2014 SSRS instance, I found I also had to add this to the web.config in the ReportServer folder ("<system-drive>\Program Files\Microsoft SQL Server\MSRS<version>.<instance>\Reporting Services\ ReportServer \") or reports called there would fail by way of an error. After making adjustments above, stay away from the SSRS instance and restart it. If this happens, your reports should function normally.





:: بازدید از این مطلب : 852
|
امتیاز مطلب : 0
|
تعداد امتیازدهندگان : 0
|
مجموع امتیاز : 0
تاریخ انتشار : دو شنبه 4 تير 1397 | نظرات ()
مطالب مرتبط با این پست
لیست
می توانید دیدگاه خود را بنویسید


نام
آدرس ایمیل
وب سایت/بلاگ
:) :( ;) :D
;)) :X :? :P
:* =(( :O };-
:B /:) =DD :S
-) :-(( :-| :-))
نظر خصوصی

 کد را وارد نمایید:

آپلود عکس دلخواه: