Is there a way to check if a user is allowed to use non FIPS 140-2 security algorithms
I know you can look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy and it MIGHT give you the correct answer.
However checking this value doesn't really tell you anything other than what is currently set in the registry; NOT what is currently allowed.
That is the user can change this after startup, however, I believe Windows checks the value at startup, so if it was changed after startup or if the value was changed by an OU policy after the windows set the value (wherever and whenever it sets the value), then the value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy does not give you the value that is currently in affect.
The reason I am asking is I have the setting set to 0, but I still get:
RijndaelManaged CSP = new RijndaelManaged();
System.Exception : Error in RijndaelAES encryption: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
----> System.InvalidOperationException : This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
I'm thinking some domain OU policies are messing with this during startup.
I also know that if you have a web application, that in the web.config you can:
<runtime> <enforceFIPSPolicy enabled="false" /> </runtime>
This is not set to true.
So it would be nice to see what the OS thinks can be used and what the .net framework thinks can be used.
