Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to enable FIPS on windows 7

Have to test a c# application from client that is to work on a machine that has FIPS enbaled

like image 391
qazwsx Avatar asked Feb 03 '11 12:02

qazwsx


People also ask

How do I turn FIPS mode on Windows?

To use the group policy setting, open the Group Policy Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting.

How do I turn off FIPS in Windows 7?

In Security Settings, expand Local Policies, and then click Security Options. Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Disabled.

How do I know if FIPS is enabled Windows?

Navigate to “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\”. Look at the “Enabled” value in the right pane. If it's set to “0”, FIPS mode is disabled. If it's set to “1”, FIPS mode is enabled.


2 Answers

First, be aware of what actually happens when you enforce FIPS140-2 complient encryption within Windows. Details are at http://technet.microsoft.com/en-us/library/cc750357.aspx. However, the main 'gotcha' (old SSL website's don't work in IE anymore) is detailed in the article linked below.

The official instructions to enable FIPS 140-2 complience are at http://support.microsoft.com/kb/811833, but can be summarised as follows:

  1. Using an account that has administrative credentials, log on to the computer.
  2. Click Start, click Run, type gpedit.msc, and then press ENTER.
  3. In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
  4. Under the Security Settings node, double-click Local Policies, and then click Security Options.
  5. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
  6. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
  7. Close the Local Group Policy Editor.

If you wish to do this manually, you can also simply change the registry key HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1

Finally, to repeat, it is very important that you read through the documentation before you enable this - it changes cryptography system wide, including how the file system (both EFS and Bitlocker) and network (IE, Remote Desktop and the main cryptographic libraries) are allowed to encrypt, as well as if you allowed to recover lost encryption keys.

like image 179
Alex Avatar answered Sep 20 '22 23:09

Alex


As an alternative, for Windows 7 users (with admin rights), this is one of the "Network Properties". Step by step:

  1. click on the "Network" icon on task bar.
  2. right click > Properties on the specific Network connection
  3. switch to the "Security" tab.
  4. click on "Advanced Settings" button.
  5. click the checkbox labeled "Enable Federal Information Processing Standards (FIPS) compliance for this network.

Also, have in mind:

  • Recommended reading: http://technet.microsoft.com/en-us/magazine/ff847520.aspx
  • This setting sepends on what you have selected as "Security Type" on the Security Tab
  • Your wireless network adapter card might be doing this encryption in hardware already. This checkbox will switch from that to rather performing AES encryption in software.
like image 36
Marcelo Finki Avatar answered Sep 17 '22 23:09

Marcelo Finki