Is is recommended to enable System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing policy #248
-
In GPO, there is a policy at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options called System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing policy, which is set to disabled by default. The details tab does make a compelling argument on why it should be enabled. The docs however does not give much as it is no longer updated (but does say at the top that it applies to windows 11). It does link to another FIPS140 page but that does not say if this policy should be enabled or not. Whats your take on this? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
Hi, This document you linked does talk about FIPS and it's talking about all of the old insecure algorithms that the Harden Windows Security script disables. The algorithms the script enforces are all superior to things that FIPS recommends.
https://scanigma.com/knowledge-base |
Beta Was this translation helpful? Give feedback.
-
In addition to what HotCakeX said, Microsoft used to have a blog post (now archived) that explained the rationale behind the mode, and when you should enable it, or not Tl;dr: if you do not have specific compliance reasons (such as, you ship a product that will be used by a US federal agency) to enable it, keep it disabled. |
Beta Was this translation helpful? Give feedback.
In addition to what HotCakeX said, Microsoft used to have a blog post (now archived) that explained the rationale behind the mode, and when you should enable it, or not
Tl;dr: if you do not have specific compliance reasons (such as, you ship a product that will be used by a US federal agency) to enable it, keep it disabled.
https://web.archive.org/web/20231122001052/https://techcommunity.microsoft.com/t5/microsoft-security-baselines/why-we-re-not-recommending-fips-mode-anymore/ba-p/701037