Export (0) Print
Expand All
Expand Minimize

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Published: November 15, 2012

Updated: November 15, 2012

Applies To: Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP

This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.

This policy setting determines whether the TLS/SSL security provider supports only the Federal Information Processing Standard (FIPS)-compliant strong cipher suite known as TLS_RSA_WITH_3DES_EDE_CBC_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.

The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions.

For the Encrypting File System (EFS) service, it supports the 3DES and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. To encrypt file data, by default EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista operating systems, and it uses a DESX algorithm in Windows XP.

For encrypting Remote Desktop Services network communication, this policy setting supports only the Triple DES encryption algorithm.

For BitLocker, this policy needs to be enabled before any encryption key is generated. Note that when this policy is enabled, BitLocker will prevent the creation or use of recovery passwords, so recovery keys should be used instead.

  • Enabled

    The Transport Layer Security/Secure Sockets Layer (TLS/SSL) security provider uses only the FIPS 140 approved cryptographic algorithms (3DES and AES) for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

  • Disabled

  • Not defined

  1. Set this policy to Enabled. Client computers with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client computers that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS.

GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

 

Server type or GPO Default value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX.

This section describes features and tools that are available to help you manage this policy.

None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.

noteNote
This setting is configured differently than in Windows Server 2003 and Windows XP in computers that are running at least Windows Vista or Windows Server 2008.

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

You can enable this policy setting to ensure that the computer uses the most powerful algorithms that are available for digital encryption, hashing, and signing. Use of these algorithms minimize the risk of compromise of digitally encrypted or signed data by an unauthorized user.

Enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting.

Client computers that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both computers are not configured to use the same encryption algorithms.

  1. On the Internet Explorer Tools menu, click Internet Options.

  2. Click the Advanced tab.

  3. Select the appropriate version for the Use TLS check box.

You can also configure this policy setting through Group Policy or by using the Internet Explorer Administrators Kit.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft