Enable/Disable FIPS policy in windows machine.

Platform:- Opkey On-Premise and Cloud versions

What Is FIPS-compliant Encryption?

FIPS stands for “Federal Information Processing Standards.” It’s a set of government standards that define how certain things are used in the government–for example, encryption algorithms. FIPS defines certain specific encryption methods that can be used and methods for generating encryption keys. It’s published by the National Institute of Standards and Technology or NIST.

The setting in Windows complies with the US government FIPS 140 standard. When it’s enabled, it forces Windows to only use FIPS-validated encryption schemes and advises applications to do so, as well.

Why do we need FIPS-compliant Encryption?

“FIPS mode” doesn’t make Windows more secure. It just blocks access to newer cryptography schemes that haven’t been FIPS-validated. That means it won’t be able to use new encryption schemes or faster ways of using the same encryption schemes. In other words, it makes your computer slower, less functional, and arguably less secure.

How Windows Behaves Differently If You Enable This Setting?

This setting does two things to Windows itself. It forces Windows and Windows services to use only FIPS-validated cryptography. For example, the Schannel service built into Windows won’t work with older SSL 2.0 and 3.0 protocols and will require at least TLS 1.0 instead

Microsoft’s .NET framework will also block access to algorithms that aren’t FIPS-validated. The .NET framework offers several different algorithms for most cryptography algorithms, and not all of them have even been submitted for validation. For example, Microsoft notes three different versions of the SHA256 hashing algorithm in the .NET framework. The fastest one hasn’t been submitted for validation but should be just as secure. So enabling FIPS mode will either break .NET applications that use the more efficient algorithm or force them to use the less efficient algorithm and be slower.

Aside from those two things, enabling FIPS mode recommends to applications that they use only FIPS-validated encryption, too. But it doesn’t force anything else. Traditional Windows desktop applications can choose to implement any encryption code they want–even horrifically vulnerable encryption–or no encryption at all. FIPS mode doesn’t do anything to other applications unless they obey this setting.

How to Disable FIPS Mode (or Enable It, If You Have To)

You shouldn’t enable this setting unless you’re using a government computer and are forced to. If you do enable this setting, some consumer applications may actually ask you to disable FIPS mode so they can function properly.

If you need to enable or disable FIPS mode–maybe you’ve seen an error message after you enabled it, you need to test how your software will behave on a computer with FIPS mode enabled, or you’re using a government computer and have to enable it–you can do so in several ways. FIPS mode can be enabled only when connected to a specific network, or via a system-wide setting that will always apply.

Enabling FIPS Mode for a Specific Network: 

1.      Open the Control Panel window.

2.      Click “View network status and tasks” under Network and Internet.

3.      Click “Change adapter settings.”

4.      Right-click the network you want to enable FIPS for and select “Status.”

5.      Click the “Wireless Properties” button in the Wi-Fi Status window.

6.      Click the “Security” tab in the network properties window.

7.      Click the “Advanced settings” button.

8.      Toggle the “Enable Federal Information Processing Standards (FIPS) compliance for this network” option under 802.11 settings.

This setting can also be changed system-wide in the group policy editor. This tool is only available on Professional, Enterprise, and Education versions of Windows–not Home versions. You can only use the local group policy editor to change this tool if you’re on a computer that isn’t joined to a domain that’s managing your computer’s group policy settings for you. If your computer is joined to a domain and the group policy settings are centrally managed by your organization, you won’t be able to change it yourself. 

Enabling or Disabling FIPS Mode via Group Policy Editor: 

1.      Press Windows Key+R to open the Run dialog.

2.      Type “gpedit.msc” into the Run dialog box (without the quotes) and press Enter.

3.      Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options” in the Group Policy Editor.

4.      Locate the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” setting in the right pane and double-click it.

5.      Set the setting to “Disabled” and click “OK.”

6.      Restart the computer.

On Home versions of Windows, you can still enable or disable the FIPS setting via a registry setting. To check whether FIPS is enabled or disabled in the registry, follow the following steps:

Enabling or Disabling FIPS Mode via Registry Settings: 

1.      Press Windows Key+R to open the Run dialog.

2.      Type “regedit” into the Run dialog box (without the quotes) and press Enter.

3.      Navigate to “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\”.

4.      Look at the “Enabled” value in the right pane. If it’s set to “0”, FIPS mode is disabled. If it’s set to “1”, FIPS mode is enabled. To change the setting, double-click the “Enabled” value and set it to either “0” or “1”.

5.      Restart the computer.

Managing FIPS mode on Windows systems involves careful consideration of security requirements and application compatibility. Users should be mindful of the specific use case before enabling or disabling FIPS mode. Whether through network-specific settings, Group Policy Editor, or registry adjustments, understanding these processes ensures a secure and efficient computing environment.

If you want to learn more about Opkey features. Click Here.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article