WinSecWiki > Security Settings > Local Policies > Security Options > System Cryptography > Use FIPS compliant algorithms for encryption, hashing, and signing

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

FIPS stands for Federal Information Processing Standards 140-1 and 140-2. This setting impacts many if not all features of windows that use cryptography and impose minimum encryption algorithm and key length requirements.

Windows component Impact
TLS/SSL (secure http and other secure sockets layer communication) Restricted to Triple DES encryption algorithm for the TLS traffic encryption, only the Rivest, Shamir, and Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hashing Algorithm 1 (SHA-1) for the TLS hashing requirement
Encrypting File System (EFS) Triple Data Encryption Standard (DES) encryption algorithm for encrypting file data supported by the NTFS file system
Terminal Services Triple DES encryption algorithm for encrypting terminal services network communication
IPsec Triple DES

Bottom line

Don’t enable this unless you really have to for FIPS compliance. It is likely to break some things – basically any application or feature that uses a non compliance algorithm such as MD5 or DES.

Back to top

 

Additional Resources
    Force strong key protection for user keys stored on the computer
    Use FIPS compliant algorithms for encryption, hashing, and signing