Is is recommended to enable System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing policy

[agpt8]

In GPO, there is a policy at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options called System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing policy, which is set to disabled by default.

The details tab does make a compelling argument on why it should be enabled. The docs however does not give much as it is no longer updated (but does say at the top that it applies to windows 11). It does link to another FIPS140 page but that does not say if this policy should be enabled or not.

Whats your take on this?
The page is still linked to the current docs under System security heading.

[HotCakeX]

Hi,
From what i've seen, FIPS compliant stuff are usually not up to date and don't include the latest algorithms, features etc. It could deprive users of some newer technology as a result. I don't have any relevant documents to link to at the moment but that's basically what I remember.

This document you linked does talk about FIPS and it's talking about all of the old insecure algorithms that the Harden Windows Security script disables. The algorithms the script enforces are all superior to things that FIPS recommends.

TLS_RSA_WITH_3DES_EDE_CBC_SHA or 3DES are all super insecure

https://scanigma.com/knowledge-base
https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

[Harvester57]

In addition to what HotCakeX said, Microsoft used to have a blog post (now archived) that explained the rationale behind the mode, and when you should enable it, or not

Tl;dr: if you do not have specific compliance reasons (such as, you ship a product that will be used by a US federal agency) to enable it, keep it disabled.

https://web.archive.org/web/20231122001052/https://techcommunity.microsoft.com/t5/microsoft-security-baselines/why-we-re-not-recommending-fips-mode-anymore/ba-p/701037

[agpt8]

Interesting! Thank you for the info!