Do your systems require compliance with FIPS on security then Oracle Cloud Infrastructure provides the flexibility to meet a key area of compliance for your Windows Server workloads: FIPS (Federal Information Processing Standard) compliance. The ability to create a FIPS-compliant server is a critical milestone in moving to the cloud.
This post discusses how to achieve a FIPS-compliant Windows Server, describing the core steps for Windows Server 2016 server and referring to the necessary resources for Windows Server 2008 R2 and 2012. In particular, this post focuses on how to bring this functionality to Oracle Cloud Infrastructure and some things to consider while attempting to meet the FIPS 140 standard. The reference section provides links to Microsoft sites that define and document FIPS compliance for building Windows Servers that are compliant.
The United States and Canadian governments have created specific requirements for ensuring security with in their environments, these requirements have led to the FIPS standard. FIPS is a standard for government computer security. The standard was initially published in May 2001 and then updated in December 2002 by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada. The standard identifies levels of security and cryptographic module validation. This standard applies to any security system that is used within the US Federal government. The current standard is FIPS 140-2 for all government systems.
For more information, see FIPS 140-2.
One of the key things to know is that to be FIPS compliant you must disable some encryption algorithms and enable others. The Secure Channel Security Package is forced to use TLS, so the following key Cipher Suites must be disabled:
Remote Desktop Protocol is scoped to use the following algorithms:
For Windows Server 2008 and later, ensure that your disk encryption is AES-256. For .Net, ensure that you are using the correct CNG Validated Cryptographic Modules.
For more information, see FIPS 140 Validation.
Now that you have an idea of what FIPS is, you need to know how to make your Windows Server environment FIPS compliant. Microsoft has done most of the work for the compliant DLLs and encryption integration. Follow the processes outlined in How to Use FIPS Compliant Algorithms to produce a FIPS-compliant Windows Server.
To install and use the FIPS-compliant algorithms, use the instructions in CAPI Validated Cryptographic Modules. You must install the correct DLLs and make some changes to the WebHost\config and MonitoringView\web.config files.
Start with the base Windows Server 2016 image from the Oracle Cloud Infrastructure Console. After the server is built, connect to it and then start the FIPS update outlined by Microsoft.
The hardest part of the process is getting the gacutil.exe program. To get this program, download the .Net 4.0 SDK. When you have the gacutil.exe program, you can start making the necessary changes.
Follow the instructions from Microsoft to start the process, as shown here.
Your Windows Server 2016 is now FIPS compliant. The Microsoft website has more in-depth information about enabling such things as Operations Manager and Web Services and enabling Windows Server 2008 R2 and 2012. Now it is time to go build your own FIPS compliant Windows Servers in the Oracle Cloud Infrastructure to start your free trial make sure to check out the try it page (https://cloud.oracle.com/tryit) for more details.