Microsoft KB Archive/811833

= The effects of enabling the &quot;System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing&quot; security setting in Windows XP and later versions =

Article ID: 811833

Article Last Modified on 12/8/2004

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-





SUMMARY
By default, Microsoft Windows XP and later operating systems are not configured to require strong encryption to be negotiated for applications that must use cryptographic services. Strong encryption may be Federal Information Processing Standard (FIPS)-compliant encryption.

You can configure the negotiation of stronger, FIPS-compliant cryptography in Windows XP and later operating systems by enabling the following security setting either in the Local Security Policy or as part of Group Policy:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

This setting impacts the following areas of the operating system:  This setting causes Microsoft Internet Information Services (IIS) and Microsoft Internet Explorer to only negotiate using the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on an IIS server, only Web browsers that support TLS 1.0 can connect. If this setting is enabled on a Web client, the client can only connect to servers that support the TLS 1.0 protocol. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

811834 Cannot visit SSL sites after you enable FIPS compliant cryptography

 This setting also affects Terminal Services in Microsoft Windows Server 2003. By default, when this setting is not enabled on the client or on the server, the Remote Desktop Protocol (RDP) channel between the server and the client is encrypted by using the RC4 algorithm with a 56-bit key length. After you enable this setting on a Windows Server 2003-based computer, the RDP channel is encrypted by using 3DES in Cipher Block Chaining (CBC) mode with a 128-bit key length, if the client supports it. Also, a client must use the RDP client version 5.2 or a later version to connect. Encrypting File System (EFS) is also affected by this setting. By default, Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit key length. If the Windows high encryption pack is installed, the key length for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting on these computers, the operating system will use 3DES with a 128-bit key length instead.



MORE INFORMATION
Notes  After you enable or disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting, you must restart your application, such as Internet Explorer, for the new setting to take effect. This security setting affects the following registry value:

This registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If this setting is disabled, the value is 0.</ul>

Additional query words: FIPSAlgorithmPolicy

Keywords: kbhowto kbinfo KB811833

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.