In our ASP.NET development environment we current use Visual Studio 2005 Prof and IIS (on a developer?s desktop PC running XP) to write, debug and unit test code. Code is check-in/check out of Visual Source Safe (VSS). There exist separate test server and production server environments that we deploy systems to.
Shortly new organization security settings (the FDCC [OMB Federal Desktop Core Configuration]) are going to be imposed that to do not allow IIS on individual developer?s PC and restrict many security settings! We are thus exploring alternatives ways to provide a local ASP.NET (.NET 2.0) development environment for developer?s without IIS.
The Microsoft write up (http://msdn2.microsoft.com/en-us/library/58wxa9w5(VS.80).aspx) of the ASP.NET Development Server (AKA VS Host) strongly suggest that it is meant to provide a local Web-server development solution when security policy/controls do not allow IIS (admittedly with reduced functionality compared to IIS).
However, we can only get ASP.NET Development Server to work within the current FDCC desktop setting if we set FIPS compliant algorithm = False (not to be allowed in our organization PC desktop configuration). The problem we were getting was:
The setting: [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing] seems to be breaking encrypted state variables in .NET 2.0 applications - this is in Visual Studio 2005. The problem seems to be associated with the Advanced Encryption Standard (AES) that it is not recognized as FIPS compliant.
Questions:
1. Is there a way to run ASP.NET Development Server on a local PC desktop with FIPS-compliant encryption algorithm (not AES)? If yes, could you provide guidelines as to how to do this?
2. Is there an alternative Visual Studio environment (may be server based), which provides multiple developers an isolated development environment that is not dependent on having IIS on a local PC desktop running XP or Vista?