2022-10-20

FIPS compliant algorithms is self enabling

I was solving interesting issue when few servers in domain had different configuration of the system cryptography settings in Local Security Policy than few other enrolled servers. 

What was the worst: after manual change the settings was auto returned back within an hour. There was no related GPO configured on a domain controller. It was not possible to find anything useful in event viewer because there are too many records.

Manual inspection: Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing" >> "Disabled".

What I did was that I created locally scheduled PowerShell script logging previous value and setting the correct one back running in 5 minutes interval. There were two nice outcomes: First the value was configured as desired, second I could get timestamp of the change and locate events in eventvwr. 

PowerShell inspection: "Get-ItemProperty -Path Registry::HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy | Select-Object -ExpandProperty Enabled"

"Set-ItemProperty -Path Registry::HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy -Name Enabled -Value 0"

I recognized two changes: EventId: 640 and 639

services (1008,D,35) Error -1919 validating header page on flush map file "C:\ProgramData\GuestConfig\Configuration\AzureWindowsBaseline\AzureSecurityPack\secedit_asm.jfm". The flush map file will be invalidated.
Additional information: [SignDbHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignFmHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignDbHdrFromFm:Create time:10/17/2022 10:41:07.681 Rand:3683685950 Computer:] [SignFmHdrFromFm:Create time:10/17/2022 10:41:07.701 Rand:1036597202 Computer:]

services (1008,D,35) Flush map file "C:\ProgramData\GuestConfig\Configuration\AzureWindowsBaseline\AzureSecurityPack\secedit_asm.jfm" will be deleted. Reason: ReadHdrFailed.

There it give me some guide where to look next. The line "GuestConfig\Configuration\AzureWindowsBaseline\AzureSecurityPack\secedit" speaks clearly.

I opened Microsoft Azure Automanage portal on the address https://portal.azure.com/#view/Microsoft_Azure_AutoManagedVirtualMachines/AutomanageMenuBlade/~/azuremachinebestpracticesitem and found there outdated extension versions on VMs which were reported as faulty. I resolved the problem by disabling the Automanage feature.

But configuration did not disappeared from the VM. There was still something leftto remove.

az guestconfig guest-configuration-assignment list --vm-name $azvm --resource-group $rg --query [].name -o tsv

az guestconfig guest-configuration-assignment show --name $config --vm-name $azvm --resource-group $rg

az guestconfig guest-configuration-assignment delete --name $config --vm-name $azvm --resource-group $rg

The last thing to check is Azure Policies Guest assignments. After that configuration stayed as set. Recommended solution is to set and enforce right configuration via Group policy.

Documentation:

  • https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation
  • https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing
  • https://learn.microsoft.com/en-us/cli/azure/guestconfig