Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules [FIPS 140] is a U.S. Federal government standard that defines a minimum set of security requirements for products that implement cryptography. The standard is designed for cryptographic modules that are used to help secure sensitive, but unclassified information.
FIPS 140-1, the original working version of the standard, became official on January 11, 1994 and was in effect until May 25, 2002, when FIPS 140-2 became the mandatory standard for new products. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the National Institute of Standards (NIST) and the Communications Security Establishment of Canada (CSEC).
Microsoft Windows has a long history of participation in the CVMP under FIPS 140-2.Note
For more information about the details of Microsoft’s participation in the program, refer to the Technical Article FIPS 140 Evaluation at http://technet.microsoft.com/en-us/library/cc750357.aspx
In most cases, the CMVP does not certify the whole application space, only the critical cryptographic service components. Therefore the specific modules that have successfully completed the testing program can claim to be “FIPS Certified”. All other higher layer applications that use these certified components can be said to be “FIPS compliant” or “Operating in FIPS mode” or “uses FIPS technology”.
Requirements for FIPS 140-2 Compliance with Microsoft Dynamics CRM
Setting up a FIPS compliant operating environment requires running the following:
- Windows Server 2008 R2 SP1 x64
- Microsoft Dynamics CRM 2011 UR3 or a later version
- Microsoft SQL Server 2008 R2 x64
The first step in configuring a FIPS 140-2 compliant operating environment is to configure the computer that is running Windows Server 2008 R2 SP1 x64 by enabling the FIPS security setting. To enable the Windows Server FIPS security setting either in the Local Security Policy or as part of Group Policy, follow these steps:
Microsoft SQL Server
- Using an account that has administrative credentials, log on to a computer that is running Windows Server 2008 R2 SP1 x64 on which any of the CRM Server roles are installed.
- Click Start, click Run, type gpedit.msc, and then press ENTER.
- In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
- Under the Security Settings node, double-click Local Policies, and then click Security Options.
- In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
- In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
- Close the Local Group Policy Editor.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
"System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows
When the SQL Server 2008 service detects that FIPS mode is enabled at startup, SQL Server 2008 logs the following message in the SQL Server error log:
Service Broker transport is running in FIPS compliance mode
Additionally, the following message may be logged in the Application log:
Database Mirroring transport is running in FIPS compliance mode
To make sure that the server is running in FIPS compliant mode, locate and verify the existence of the first (and possibly the second) message.
Special Considerations for Deployments with Windows Network Load Balancing
For Microsoft Dynamics CRM 2011 deployments with Windows Network Load Balancing (NLB), compliancy with FIPS 140-2 requires that configuration change to the .Net machine config.xml file on the CRM Web Servers.
To ensure FIPS compliancy for Microsoft Dynamics CRM 2011 implementations leveraging NLB, follow these steps:
Microsoft Dynamics CRM Email Router
- Using an account that has administrative credentials, log on to a computer serving as the CRM Web Server.
- Browse to the folder “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config”, and then open the file that is named machine.config.
- In the file, under any existing <mscorlib> …..</mscorlib> elements, between the </system.web> and the </configuration> elements, add the following text:
SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=184.108.40.206, Culture=neutral,
RijndaelCSP="System.Security.Cryptography.AesCryptoServiceProvider, System.Core, Version=220.127.116.11, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
Add Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM Email\MSCRMFIPSCompliance = 1 (Dword) on Email Router server then install Email Router.Microsoft Dynamics CRM client for Microsoft Office Outlook
Please see the following article: Error message when you try to configure the Microsoft Dynamics CRM 4.0 client for Outlook: "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms"
If the Microsoft Dynamics CRM 2011 platform is configured by using the procedures here, Microsoft Dynamics CRM 2011 will exclusively use FIPS Certified algorithms and components for all covered cryptographic functions and will therefore be operating in FIPS 140-2 compliant mode.