How to enable FIPS on windows 7
Asked Answered
S

2

19

Have to test a c# application from client that is to work on a machine that has FIPS enbaled

Sainfoin answered 3/2, 2011 at 12:51 Comment(2)
The Federal Information Processing Standard?Papillon
Yes it is. Unsure of other requirementSainfoin
V
51

First, be aware of what actually happens when you enforce FIPS140-2 complient encryption within Windows. Details are at http://technet.microsoft.com/en-us/library/cc750357.aspx. However, the main 'gotcha' (old SSL website's don't work in IE anymore) is detailed in the article linked below.

The official instructions to enable FIPS 140-2 complience are at http://support.microsoft.com/kb/811833, but can be summarised as follows:

  1. Using an account that has administrative credentials, log on to the computer.
  2. Click Start, click Run, type gpedit.msc, and then press ENTER.
  3. In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
  4. Under the Security Settings node, double-click Local Policies, and then click Security Options.
  5. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
  6. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
  7. Close the Local Group Policy Editor.

If you wish to do this manually, you can also simply change the registry key HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1

Finally, to repeat, it is very important that you read through the documentation before you enable this - it changes cryptography system wide, including how the file system (both EFS and Bitlocker) and network (IE, Remote Desktop and the main cryptographic libraries) are allowed to encrypt, as well as if you allowed to recover lost encryption keys.

Venice answered 29/11, 2012 at 22:14 Comment(2)
Apparently, the standard way of writing paths to a registry value is to use \ for the key separators and the precede the value name with a /.Ashantiashbaugh
+1 for the registry setting (If you happen to lock yourself out of RDP with FIPS + IISAdmin, psexec and the reg command can save you...)Hassett
M
2

As an alternative, for Windows 7 users (with admin rights), this is one of the "Network Properties". Step by step:

  1. click on the "Network" icon on task bar.
  2. right click > Properties on the specific Network connection
  3. switch to the "Security" tab.
  4. click on "Advanced Settings" button.
  5. click the checkbox labeled "Enable Federal Information Processing Standards (FIPS) compliance for this network.

Also, have in mind:

  • Recommended reading: http://technet.microsoft.com/en-us/magazine/ff847520.aspx
  • This setting sepends on what you have selected as "Security Type" on the Security Tab
  • Your wireless network adapter card might be doing this encryption in hardware already. This checkbox will switch from that to rather performing AES encryption in software.
Milligram answered 28/4, 2013 at 10:42 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.