Enable FIPS 140-2 cryptography compliance.



PowerShell Server complies with Federal Information Processing Standards (FIPS 140-2) cryptography requirements, enabling governments agencies to meet the strict security and compliance guidelines defined by NIST. This article will explain how to enable FIPS compliant mode for PowerShell Server.

There are two steps to enabling FIPS compliant mode in PowerShell Server.

  1. Enable FIPS mode on the Operating System
  2. Enable FIPS mode for PowerShell Server

After performing both steps be sure to stop and restart the PowerShell Server for changes to take effect.

 

Enable FIPS mode on the Operating System

To enable FIPS mode on the Operating System you will need to set the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” setting. This can be enabled via a Group Policy, or via the Local Security Policy. For simplicity this article will only discuss enabling this setting in the Local Security Policy. Follow the steps below to enable this setting.

  1. Open the Control Panel
  2. Within the Control Panel select Administrative Tools
  3. Select Local Security Policy. This will open an editor.
  4. In the editor expand the tree on the left to “Security Settings | Local Policies | Security Options”
  5. In the policy list on the right find “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”. Double click this policy and change the value from “Disabled” to “Enabled”.
This will enable FIPS mode on the system. For more information on the effects of this setting see http://support.microsoft.com/kb/811833.

 

Enable FIPS mode in PowerShell Server

To enable FIPS mode in PowerShell server you will need to add a new registry key value to inform PowerShell Server to run in FIPS mode. To do this follow these steps:

  1. Launch the registry editor (regedit)
  2. Browse to the path: HKEY_LOCAL_MACHINE\SOFTWARE software\PowerShell\Server\16
  3. Add a new DWORD value named UseFIPSCompliantAPI
  4. Set the value data of the new DWORD value to 1 to enable FIPS compliant mode in PowerShell Server

Note: You may disable FIPS compliant mode by setting UseFIPSCompliant to 0 or by simply deleting the DWORD value.

After performing both steps be sure to stop and restart PowerShell Server for changes to take effect.