Use FIPS Compliant Algorithms for Encryption, Signing and Hashing

One of the things I’ve been doing this week is learning about the Federal Desktop Core Config (FDCC).
You’ve probably read about it this past week. The short version is that it is a Federal government wide configuration standard for XP and Vista.
Under FISMA, you just had to have a standard and apply it. With FDCC they are all supposed to have the same standard. The FDCC falls prey to a number of fallacies. It seems the developers are tweakers, that is to say they seem to believe the more changes made the more secure the computer is. That is just never a good idea. They appear to have started with a standard to the right of the SSLF policy (Microsoft’s policy for standalone really-secure computers) and only made changes where they absolutely had to.
The mistake I wanted to write about in this blog entry is the setting “Use FIPS Compliant Algorithms for Encryption, Signing and Hashing”. This setting is required for both XP and Vista under the FDCC. This policy should never be used.
The policy enabled FIPS140-1. This is kind of funny since the government requires FIPS 140-2. What isn’t so funny is you will be unable to use SSL. Only TLS_RSA_WITH_3DES_EDE_CBC_SHA is supported. EFS encryption will be lowered from AES to 3DES.
When applying a security hardening policy understand what the settings will do. Test first in a non-production environment. Document your explanations for any exceptions from the standard that you are following.


  1. As a consultant for a large government agency, we expect all agencies to request a waiver on this setting in FDCC. What I do like, which is already implemented where I’m at is the removal of the easy to reverse LM hashes for passwords.

  2. The dreaded FIPS complaint setting

    (Ok, a typo in the subject, but it was funny so left it in) The Technet blogs require registration to comment, and don’t allow me to use my Microsoft Live account to log in, much less openID. I didn’t feel…

Comments are closed.