Jump to content
mdrix

FIPS breaks agents

Recommended Posts

I have to get a few of our companies NIST 800-171 compliant and I have run into an issue. According to the guidelines, you have to employ FIPS-validated cryptography within the domain. If I turn on FIPS, Labtech agents cant contact the server. Is there anything I can do?
 

Share this post


Link to post
Share on other sites

See https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/https://support.microsoft.com/en-us/help/811834/prb-cannot-visit-ssl-sites-after-you-enable-fips-compliant-cryptograph, and maybe https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/ (The first two links cover most of what is in here...)

But the best answer appears to be here: https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Knowledge_Base_Articles/Automate_and_FIPS_Compliance
(Spoiler alert... TLS is not supported by Automate.. You can't get there from here...)

It appears that Automate is approaching it by saying that they are secure without FIPS, so....... Good luck with that!

Share this post


Link to post
Share on other sites

I figured this out -- you can skip the FIPS check in the LT config files.

 

1. Open Notepad as admin and open these 3 files...

  • C:\Windows\LTSvc\LTSVC.exe.config
  • C:\Windows\LTSvc\LTSvcMon.exe.config
  • C:\Windows\LTSvc\LTTray.exe.config

2. Add the following bit inside your <configuration> </configuration> brackets in all 3 files above...

<runtime>
   <enforceFIPSPolicy enabled="false"/>
</runtime>

So it would look like this for LTSVC.exe.config for example...

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <runtime>
    <enforceFIPSPolicy enabled="false"/>
  </runtime>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
    <supportedRuntime version="v2.0.50727"/>
  </startup>
</configuration>

3. Save / close / restart LT services / enjoy ;)

Share this post


Link to post
Share on other sites

Eh...I'd say the majority of the content on this forum are features / fixes / additions everyone wants LT to implement and they haven't yet so holding information from a community created only to share it seems a little silly :) 

Share this post


Link to post
Share on other sites

These are not official forums. People using this workaround and NOT complaining and NOT demanding a FIPS compliant product is ConnectWise's excuse not to fix their product. 

To be clear. The workaround is just that, a workaround. Any individuals who choose to use a workaround like that, or to use a piece of software that cannot function when FIPS mode is enabled is responsible for that. It does not make Automate Support FIPS. It tells Automate to ignore it.

If you need supportability with FIPS, or if you think this feature is a must have:
OPEN A SUPPORT TICKET.
TELL YOUR ACCOUNT REPRESENTATIVE.
SUBMIT AN ENHANCEMENT REQUEST.
 

These are the only things that will make a difference.  Until them, providing this information here helps other admins to deal with the issue without being hopelessly stuck.

  • Like 2
  • Thanks 3

Share this post


Link to post
Share on other sites

Thanks @DarrenWhite99. I reached out to my account rep and opened a ticket right before I found the work around and on the support ticket they just sent me this update...

 

Quote

The issue related to FiPs had to do with setting the encryption level greater than TLS 1.0. https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Knowledge_Base_Articles/Automate_and_FIPS_Compliance

 

ConnectWise Automate has a supportability statement related to enabling encryption higher than TLS 1.0. Please read this short informative statement: https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Knowledge_Base_Articles/Supportability_Statement%3A_Higher_versions_of_TLS_and_older_Windows_Operating_Systems

 

In the meantime, I will follow-up with the Product Management Team for Automate to see how they are progressing with this.

 

I'll update when I know more. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×