Detections
Analytics

2.3.14.1 Ensure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is set to 'Enabled'

Information

This policy setting determines if the Federal Information Processing Standard (FIPS) compliant algorithms for encryption, hashing, and signing are used.

 FIPS is a set of security implementation standards that are used for document processing, encryption algorithms and other information technology standards. These standards are used by departments and agencies of the United States federal government.

 The STIG recommended state for this setting is: Enabled.

 Note: For TLS/SSL this setting determines whether the security provider supports only the FIPS-compliant strong cipher suite known as TLS_RSA_WITH_3DES_EDE_CBC_SHA.

 Note #2: For the Encrypting File System (EFS) service, this policy setting supports the 3DES and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system.

 Note #3: For Remote Desktop Services (RDP), this policy should only be enabled if the 3DES encryption algorithm is supported.

 Note #4: For BitLocker this policy setting needs to be enabled before any encryption key is generated.

 Note #5: For more information on this policy setting please visit System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing (Windows 10) - Windows security | Microsoft Docs and FIPS 140 Validation - Windows security | Microsoft Docs.




 Rationale:

 This policy setting ensures that the system uses algorithms that are Federal Information Processing Standard (FIPS) compliant for digital encryption, hashing, and signing.

 Impact:

 Client devices that have this policy setting enabled will not be able to communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms will not be able to use servers that require them for network communications.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

 Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

 Default Value:

 Disabled.

 Additional Information:

 Microsoft Windows Server 2016 Security Technical Implementation Guide:
 Version 2, Release 2, Benchmark Date: May 04, 2021

 Vul ID: V-225058
 Rule ID: SV-225058r569186_rule
 STIG ID: WN16-SO-000420
 Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3476

Item Details

References: CSCv7|18.5

Plugin: Windows

Control ID: 77e26283cf9722cf395a42822329ca80a62112e5630aba35d5d0f6acd880f2b3