Check: WN12-SO-000074
Microsoft Windows Server 2012/2012 R2 Domain Controller STIG:
WN12-SO-000074
(in versions v3 r7 through v2 r7)
Title
The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. (Cat II impact)
Discussion
This setting ensures that the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.
Check Content
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 1 Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".
Additional Identifiers
Rule ID: SV-226335r877380_rule
Vulnerability ID: V-226335
Group Title: SRG-OS-000396-GPOS-00176
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
Controls
Number | Title |
---|---|
SC-13 |
Cryptographic Protection |