On enabling of the system cryptography setting on versions of windows xp and later, the system recommends the use of FIPS 140 compliant algorithms and operations. This is not an enforcement policy but an advisory one so one cannot ensure that the applications will use only the compliant methods. For detailed help on enabling FIPS settings one can go to Microsoft TechNet.

Effects of System Cryptography

1. On WIN XP: By default windows xp uses Data Encryption Standard (DESX). The Encrypting File System (EFS) in windows uses Advanced Encryption Standard (AES).on enabling FIPS setting, windows begins to use Triple DES or 3DES encryption insttead. But on Windows xp with service pack-1, even though EFS uses a better AES algorithm, the setting should be enabled because the algoritm is only implemented in kernel mode and not FIPS compliant. Another effect seen is on the Remote Desktop Protocol mechanism. The communication between win xp clients and server fail if they use RDP 5.2 and this setting is enabled on either of the server or client.

2. On WINDOWS SERVER 2003: There are certain effects also seen on windows server 2003. 3DES algorithm is used in the RDP channel. Messages are created using SHA-1 algorithm. Any client communication must require RDP 5.2 or more.

Applications that use Microsoft .NET Framework must use only those algorithms which are FIPS 140 compliant. Any attempt to use another algorithm causes an InvalidOperationException exception to occur. ClickOnce applications also fail due to this setting. It will only work if there is .NET framework 3.5 and/or .NET framework 2.0 service pack-1 or later installed. The same holds true if ClickOnce applications have to be published from Visual Studio 2005. With Visual Studio 2008, the service pack-1 is necessary.

The Bitlocker Facilty

The Bitlocker Drive Encryption feature on windows vista and later use 256-bit AES algorithm with a diffuser. The diffuser is disabled when the system cryptography setting is enabled. Also in these operating systems, recovery passwords cannot be created on enabling the settings. This makes it impossible to recover from any changes or losses to the system. To bypass this issue a recovery key can be used instead on local drive, network drive, or a removable media such as a USB stick. If a data drive is password protected, then the drive opens in read only mode when it is opened. The effect of enabling the setting, System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing is not immediate. The required application has to be started again for the settings to take effect.

System cryptography overall increases the security cover for the operating system by introducing standardised algorithms. It in turn also affects the working of various system components during the implementation of the algorithms.