SUMMARY

By default, Microsoft Windows XP and later operating systems are not configured to require strong encryption to be negotiated for applications that must use cryptographic services. Strong encryption may be Federal Information Processing Standard (FIPS)-compliant encryption.

You can configure the negotiation of stronger, FIPS-compliant cryptography in Windows XP and later operating systems by enabling the following security setting either in the Local Security Policy or as part of Group Policy:

This setting impacts the following areas of the operating system:

• This setting causes Microsoft Internet Information Services (IIS) and Microsoft Internet Explorer to only negotiate using the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on an IIS server, only Web browsers that support TLS 1.0 can connect. If this setting is enabled on a Web client, the client can only connect to servers that support the TLS 1.0 protocol. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

  811834 Cannot visit SSL sites after you enable FIPS compliant cryptography

• This setting also affects Terminal Services in Microsoft Windows Server 2003. By default, when this setting is not enabled on the client or on the server, the Remote Desktop Protocol (RDP) channel between the server and the client is encrypted by using the RC4 algorithm with a 56-bit key length. After you enable this setting on a Windows Server 2003-based computer, the RDP channel is encrypted by using 3DES in Cipher Block Chaining (CBC) mode with a 128-bit key length, if the client supports it. Also, a client must use the RDP client version 5.2 or a later version to connect.
• Encrypting File System (EFS) is also affected by this setting. By default, Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit key length. If the Windows high encryption pack is installed, the key length for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting on these computers, the operating system will use 3DES with a 128-bit key length instead.