Home » Fips compliance

FIPS Compliance - ManageEngine Endpoint Central

What is FIPS Compliance?

FIPS compliance(Federal Information Processing Standards) is created by the US government which aims to enhance the security posture of organizations by establishing guidelines and best practices for securing data, employing strong cryptographic methods, and implementing robust key management systems (KMS).

FIPS compliance is mandatory for all US federal agencies and contractors that handle sensitive information, as it helps prevent potential security vulnerabilities and protects against cyber threats.

Note: Endpoint Central's FIPS compliance is self-claimed, indicating that we use FIPS-validated packages and employ FIPS-approved algorithms to implement the required security measures and safeguards in accordance with the Federal Information Processing Standards.

Important: Enable FIPS compliance only if you are required to do so for your organization.

Is Endpoint Central FIPS compliant?

You can now enable FIPS compliance in Endpoint Central, adhering to the standards set by the US government.

After enabling FIPS compliance, Endpoint Central will become FIPS 140-2 compliant, and will only run FIPS validated algorithms.

What modifications occur when you enable FIPS compliance in Endpoint Central?

After enabling FIPS compliance in Endpoint Central, the following changes will occur:

  1. Secure internal communications

    When FIPS compliance is enabled, all internal communications within Endpoint Central must utilize the HTTPS protocol. This means that HTTP communications will no longer be allowed. By enforcing HTTPS, Endpoint Central ensures that data exchanges occur over a secure and encrypted channel, enhancing overall system security.

  2. FIPS-compliant checksum algorithms

    To comply with FIPS regulations, all checksum validation algorithms within Endpoint Central must meet FIPS compliance standards. Consequently, the MD5 hashing algorithm, which is not FIPS compliant, will be restricted from use within the product. This ensures that the checksum validation process adheres to FIPS standards, bolstering the integrity and security of data operations.

  3. TLSv1.2 and above compatibility

    When FIPS compliance is enabled, both the user's server and agent machines in the network should be compatible with TLSv1.2 or above. This ensures secure and uninterrupted communication between the agent and server. Older versions of TLS will not be supported, as only TLSv1.2 and above provide the necessary security protocols required for agent-server communication. For additional information regarding the ciphers used when FIPS compliance is enabled, please refer this page.

  4. Restriction on PFX Format certificates

    When FIPS compliance is enabled, Endpoint Central does not support the use of PFX format certificates. To ensure FIPS compliance, alternative certificate formats compatible with the security guidelines specified in the FIPS standards should be used. This restriction guarantees that certificate operations align with the required security protocols.

How to enable FIPS compliance in Endpoint Central?

Prerequisites :
For your whole environment/organization to be FIPS compliant, the following criteria should be met.

Note: You must be running Endpoint Central version 11.2.2338.01 or above for FIPS compliance. None of these prerequisites are required if you are running a fresh instance of Endpoint Central. You may proceed to the steps to enable FIPS compliance.

  1. LDAP SSL Configuration for AD Domains

    In order to achieve FIPS compliance, all domains within Endpoint Central must be configured using LDAP SSL. LDAP connections will not be allowed. Consequently, if a user has already added an LDAP Active Directory (AD) domain, it cannot be utilized for any functionalities within the FIPS compliant environment. To modify the existing domains in Endpoint Central, navigate to Admin->Scope of Management -> Domain

  2. HTTPS Protocol for Integrations

    To align with FIPS compliance standards, all integrations in Endpoint Central must occur through the HTTPS protocol. If any integrations were previously configured with the HTTP, it is necessary to re-establish the connections using HTTPS. This ensures secure and encrypted communication between Endpoint Central and integrated systems.

  3. Windows Authentication and ChangeDB Server

    In the FIPS compliant setup, Windows authentication must be disabled specifically for the ChangeDB server. Only SQL authentication is allowed. This ensures that authentication processes within the database adhere to the required FIPS compliance standards.

  4. SQL server prerequisites
    • SQL server version 2016 and above.
    • It is recommended to activate FIPS compliance within the OS local policy of the SQL server-installed machine.
    • Refer these steps to migrate to SQL SSL before configuring FIPS compliance.

Steps to enable FIPS compliance in Endpoint Central

You can enable FIPS compliance by performing these steps:

  1. Start and stop the Endpoint Central server.
  2. Open the command prompt in the <server_installed_directory>\bin folder.
  3. Execute the ConfigureFIPSMode.bat file.
  4. Start the server.

If you encounter any issues or have questions related to FIPS compliance in Endpoint Central, contact our support team for assistance.

Understanding the Limitations of FIPS Compliance in Endpoint Central

By enabling FIPS compliance in Endpoint Central, you're strengthening security measures but also accepting certain associated limitations. Here's what you should be aware of:

  1. Automatic agent installation will not function for Mac and Linux agents.
  2. While FIPS compliance prohibits the use of MD5 checksum validation due to its inherent security risks, we provide support for MD5 to ensure backward compatibility with some third-party patches and software that rely on MD5 checksum validation.