Federal Information Processing Standard (FIPS) 140 compliance mandates validated cryptographic modules, enhancing Windows data security by preventing weak algorithms and protocols.
Enabling FIPS Mode via Group Policy (Domain or Local Computer Policy)
- Press Win+R, type , and press Enter.
- Navigate to: Computer Configuration > Administrative Templates > System > Cryptography.
- Locate Use FIPS compliant algorithms for encryption, hashing, and signing.
- Right-click the policy, select Edit, choose Enabled, then click OK.
Enabling FIPS Mode via Registry Editor
- Press Win+R, type regedit, and press Enter (proceed with caution).
- Navigate to: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaFipsAlgorithmPolicy.
- Double-click the Enabled DWORD value.
- Set its value data to 1 and click OK.
Restart Required: Reboot your system immediately for the changes to take effect.
Verifying FIPS Enforcement
- Run the command certutil -setreg chainEnableWeakSignatureFlags 8 as Administrator.
- Attempt operations known to use weak ciphers (e.g., specific legacy connections). FIPS mode should block them, triggering errors in the Event Viewer (Applications and Services Logs > Microsoft > Windows > CAPI2 > Operational) confirming use of non-FIPS algorithms is prohibited.
Critical Considerations
- Compatibility Impact: Older applications or network services relying on non-compliant cryptography (e.g., SSLv3, TLS 1.0/1.1 without approved ciphers, certain Kerberos encryption types like DES) will fail. Test thoroughly.
- System-Wide Enforcement: The setting applies globally to the operating system and all applications utilizing Windows cryptography.
- Algorithm Restriction: Only algorithms validated per FIPS 140 are permitted (e.g., specific AES, 3DES Usage discouraged, SHA-256, ECDSA implementations).
- Not Exclusive Security: FIPS mode is one layer; maintain robust security practices (patching, access controls, firewalls).
- Audit Requirements: Organizations subject to FIPS must undergo formal validation processes; enabling this policy supports that environment.
