2

I'm trying to test to see if FIPS-140-2 is correctly enabled with Windows Server 2016. Is there a Powershell command I could run to check if the feature is properly enabled, and not just set in the registry/group policy?

I don't want to check for the existence of the registry key or policy, I actually want to trigger a windows error that would lead me to believe its enabled vs a non-FIPS enabled server.

Thanks!

Thanks to @Eric Gibson's answer, I came up with:

$md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider

will result in

New-Object : Exception calling ".ctor" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."

Function Test-FipsEnabled {
    try {
        New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
    } catch {
        return $true
    }

    return $false
}
HyTC
  • 23
  • 1
  • 4
  • 1
    When you come up with your own answer you can post it in the answer section and choose your own answer as the correct one. It's okay to upvote and give credit to the person who helped you but ultimately, you answered your own question here. – HackSlash Mar 09 '20 at 15:29

1 Answers1

1

I'm pretty sure this is what you're looking for: https://technet.microsoft.com/en-us/library/cc750357.aspx#ID0EVE

Under the "System Integrators" portion is where Microsoft specifies where the "rubber meets the road" in FIPS compliance. If you're trying to automate some kind of auditing mechanism, that's a good place to start.

Eric Gibson
  • 93
  • 1
  • 8
  • Although helpful, this would be considered a "link only answer" the question was about a command to verify. This accepted answer contains no command that will verify. – HackSlash Mar 09 '20 at 15:28