简体繁体 English

如何在Windows 7上启用FIPS

[英]How to enable FIPS on windows 7

原文 2011-02-03 12:51:19 1 2 windows/ windows-7/ fips

必须从客户端测试ac＃应用程序，该应用程序在具有FIPS enbaled的机器上工作

2 个解决方案

First, be aware of what actually happens when you enforce FIPS140-2 complient encryption within Windows. 首先，请注意在Windows中强制执行FIPS140-2兼容加密时实际发生的情况。 Details are at http://technet.microsoft.com/en-us/library/cc750357.aspx . 详情请访问http://technet.microsoft.com/en-us/library/cc750357.aspx 。 However, the main 'gotcha' (old SSL website's don't work in IE anymore) is detailed in the article linked below. 但是，主要的'gotcha'（旧的SSL网站不再在IE中工作）详见下面链接的文章。

The official instructions to enable FIPS 140-2 complience are at http://support.microsoft.com/kb/811833 , but can be summarised as follows: 启用FIPS 140-2 complience的官方说明位于http://support.microsoft.com/kb/811833 ，但可归纳如下：

Using an account that has administrative credentials, log on to the computer. 使用具有管理凭据的帐户，登录到计算机。
Click Start, click Run, type gpedit.msc , and then press ENTER. 单击“开始”，单击“运行”，键入gpedit.msc ，然后按Enter。
In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings , and then double-click Security Settings . 在“本地组策略编辑器”的“ 计算机配置”节点下，双击“ Windows设置” ，然后双击“ 安全设置” 。
Under the Security Settings node, double-click Local Policies , and then click Security Options . 在“安全设置”节点下，双击“ 本地策略” ，然后单击“ 安全选项” 。
In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing. 在详细信息窗格中，双击“ 系统加密：使用符合FIPS的算法进行加密，散列和签名”。
In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled , and then click OK to close the dialog box. 在“系统加密：使用符合FIPS的算法进行加密，散列和签名”对话框中，单击“已启用” ，然后单击“ 确定”关闭对话框。
Close the Local Group Policy Editor. 关闭本地组策略编辑器。

If you wish to do this manually, you can also simply change the registry key HKLM\\System\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy\\Enabled to 1 如果您希望手动执行此操作，还可以将注册表项HKLM\\System\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy\\Enabled更改为1

Finally, to repeat, it is very important that you read through the documentation before you enable this - it changes cryptography system wide, including how the file system (both EFS and Bitlocker) and network (IE, Remote Desktop and the main cryptographic libraries) are allowed to encrypt, as well as if you allowed to recover lost encryption keys. 最后，重复一遍，在启用此功能之前阅读文档非常重要 - 它会更改系统的加密，包括文件系统（EFS和Bitlocker）和网络（IE，远程桌面和主要加密库）的方式允许加密，以及允许恢复丢失的加密密钥。

As an alternative, for Windows 7 users (with admin rights), this is one of the "Network Properties". 作为替代方案，对于Windows 7用户（具有管理员权限），这是“网络属性”之一。 Step by step: 一步步：

click on the "Network" icon on task bar. 单击任务栏上的“网络”图标。
right click > Properties on the specific Network connection 右键单击>特定网络连接上的属性
switch to the "Security" tab. 切换到“安全”选项卡。
click on "Advanced Settings" button. 单击“高级设置”按钮。
click the checkbox labeled "Enable Federal Information Processing Standards (FIPS) compliance for this network. 单击标识为此网络的“启用联邦信息处理标准（FIPS）合规性”复选框。

Also, have in mind: 另外，请记住：

Recommended reading: http://technet.microsoft.com/en-us/magazine/ff847520.aspx 推荐阅读： http ： //technet.microsoft.com/en-us/magazine/ff847520.aspx
This setting sepends on what you have selected as "Security Type" on the Security Tab 此设置取决于您在“安全”选项卡上选择的“安全类型”
Your wireless network adapter card might be doing this encryption in hardware already. 您的无线网络适配卡可能已在硬件中进行此加密。 This checkbox will switch from that to rather performing AES encryption in software. 此复选框将从该模式切换为在软件中执行AES加密。