How to Enable FIPS Compliance on Windows Server 2012 R2

How to Enable FIPS Compliance on Windows Server 2012 R2

The Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptographic modules used in federal government systems. Many organizations in regulated industries also adopt FIPS compliance to meet contractual requirements or demonstrate due diligence. On Windows Server 2012 R2, enabling FIPS mode restricts the operating system and applications to using only FIPS-validated cryptographic algorithms, preventing use of deprecated or unapproved algorithms such as MD5, DES, and RC4. This guide covers enabling FIPS mode, understanding its impact, and validating the configuration.

Prerequisites

• Local Administrator or Domain Admin access
• A thorough inventory of all applications running on the server and their cryptographic dependencies—FIPS mode can break applications that use non-FIPS algorithms
• Test environment where FIPS mode will be validated before production deployment
• Understanding that FIPS mode affects .NET applications, PowerShell, IIS, RDP, IPsec, and all Windows cryptographic operations

Step 1: Understand What FIPS Mode Changes

When FIPS mode is enabled on Windows Server 2012 R2:

• The Windows CAPI (Cryptographic API) and CNG (Cryptography Next Generation) are restricted to FIPS-validated algorithms
• Approved symmetric algorithms: AES (128, 192, 256-bit), 3DES (112, 168-bit)
• Approved hash algorithms: SHA-1, SHA-256, SHA-384, SHA-512
• Approved asymmetric algorithms: RSA (2048-bit minimum), ECDSA with P-256, P-384, P-521 curves
• Disallowed: MD5, RC4, DES, RC2, MD4, SKIPJACK, Blowfish
• .NET applications must use only FIPS-compliant managed cryptography classes
• Remote Desktop will use FIPS-compliant encryption only

Step 2: Enable FIPS via Group Policy

The recommended method to enable FIPS mode is through Group Policy. Navigate to:

Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

Set System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing to Enabled.

Alternatively, enable via registry:

# Enable FIPS mode via registry
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsaFipsAlgorithmPolicy" `
    -Name "Enabled" -Value 1 -Type DWord

# Verify
(Get-ItemProperty "HKLM:SYSTEMCurrentControlSetControlLsaFipsAlgorithmPolicy").Enabled

A reboot is required for FIPS mode to take full effect.

Step 3: Configure .NET Applications for FIPS

Applications built on the .NET Framework must be explicitly configured to enforce FIPS-compliant algorithms. Edit the machine-wide .NET configuration file:

# Path to machine.config for .NET 4.x
$netConfigPath = "C:WindowsMicrosoft.NETFramework64v4.0.30319Configmachine.config"

# Back up before editing
Copy-Item $netConfigPath "$netConfigPath.bak"

# The machine.config should contain this element within :
# 
#   
#     
#     
#   
# 
# 
#   
# 

# Alternatively, set per-application in app.config/web.config:
# 
#   
#     
#   
# 

Step 4: Configure IIS for FIPS-Compliant HTTPS

When FIPS mode is enabled, IIS must use FIPS-compliant cipher suites. This combines with the TLS hardening steps from the TLS tutorial—disable RC4 and ensure only AES-based cipher suites are in the priority list:

# Verify FIPS-compliant cipher suites are configured
# After enabling FIPS, Windows will refuse to negotiate non-FIPS cipher suites
# Check IIS site bindings use TLS 1.2
Import-Module WebAdministration

Get-WebBinding | Where-Object { $_.Protocol -eq "https" } |
    Select-Object physicalPath, bindingInformation, sslFlags

# Ensure SSL certificate uses SHA-256 signature (not SHA-1 MD5)
Get-ChildItem Cert:LocalMachineMy |
    Where-Object { $_.NotAfter -gt (Get-Date) } |
    Select-Object Subject, Thumbprint, SignatureAlgorithm

Step 5: Configure Remote Desktop for FIPS

When FIPS mode is enabled, RDP automatically switches to FIPS-compliant encryption. Explicitly configure RDP security settings via Group Policy to ensure FIPS compliance:

Navigate to Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security:

• Set client connection encryption level — High Level
• Require use of specific security layer for remote (RDP) connections — SSL (TLS 1.0) or Negotiate (Negotiate will use TLS 1.2 when available)
• Require Network Level Authentication for remote connections — Enabled

Step 6: Validate FIPS Mode is Active

After rebooting, validate that FIPS mode is active and that the registry setting persisted:

# Check FIPS policy registry value
$fips = (Get-ItemProperty "HKLM:SYSTEMCurrentControlSetControlLsaFipsAlgorithmPolicy").Enabled
if ($fips -eq 1) {
    Write-Host "FIPS mode is ENABLED" -ForegroundColor Green
} else {
    Write-Host "FIPS mode is DISABLED" -ForegroundColor Red
}

# Check Group Policy result
gpresult /r | Select-String -Pattern "FIPS"

Step 7: Test Application Compatibility

After enabling FIPS mode, test all applications systematically:

# Test PowerShell cryptographic operations (MD5 should fail)
try {
    $md5 = [System.Security.Cryptography.MD5]::Create()
    Write-Host "WARNING: MD5 was created successfully - FIPS may not be enforced for this operation"
} catch {
    Write-Host "FIPS enforced: MD5 creation blocked - $_" -ForegroundColor Green
}

# Test AES (should succeed)
try {
    $aes = [System.Security.Cryptography.AesCryptoServiceProvider]::new()
    Write-Host "AES provider created successfully - FIPS compliant" -ForegroundColor Green
} catch {
    Write-Host "ERROR: AES creation failed - $_" -ForegroundColor Red
}

Check the Application event log for FIPS-related errors from applications that failed to start or threw cryptographic exceptions:

Get-WinEvent -LogName Application -MaxEvents 500 |
    Where-Object { $_.Message -match "FIPS|cryptograph|algorithm" } |
    Select-Object TimeCreated, Source, Message | Format-List

Step 8: Document FIPS Compliance Evidence

Generate compliance evidence for auditors:

$report = @{
    ServerName = $env:COMPUTERNAME
    FIPSEnabled = (Get-ItemProperty "HKLM:SYSTEMCurrentControlSetControlLsaFipsAlgorithmPolicy").Enabled
    OSVersion = (Get-WmiObject Win32_OperatingSystem).Caption
    Date = Get-Date
}

$report | ConvertTo-Json | Out-File "C:ComplianceFIPS-Status-$($env:COMPUTERNAME).json"
gpresult /h "C:ComplianceGPResult-$($env:COMPUTERNAME).html"

Write-Host "Compliance report saved to C:Compliance"

Summary

Enabling FIPS 140-2 compliant cryptography on Windows Server 2012 R2 restricts the system to validated, approved cryptographic algorithms, satisfying federal compliance requirements and strengthening the cryptographic foundation of your server infrastructure. The most important steps are testing application compatibility thoroughly before production deployment, configuring both the OS-level registry setting and application-level .NET enforcement, and validating that HTTPS endpoints and RDP sessions use FIPS-compliant cipher suites. Applications that rely on MD5 or RC4 will require code changes or replacement before FIPS mode can be safely enabled in production.