Using group policy for FIPS compliance

If your Active Directory forest meets the minimum requirements and you have configured the Windows environment with the local or group “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” security policy, you can make Centrify‑managed computers FIPS-compliant by enabling and applying the Centrify “Use FIPS compliant algorithms for encryption, hashing and signing” group policy. You should not use the equivalent Windows group policy to configure FIPS‑compliant communications for Linux and UNIX computers. The Centrify “Use FIPS compliant algorithms for encryption, hashing and signing” group policy is specifically designed to support Active Directory domains that are configured for FIPS 140-2 compliance.

The Centrify “Use FIPS compliant algorithms for encryption, hashing and signing” group policy is defined in a separate XML (centrifydc_fips.xml) or ADM (centrifydc_fips.adm) template file. The template file is included in the Centrify group policy extension. You must add one of these templates to a Group Policy Object to make a Centrify-managed computer FIPS-compliant mode. For information about adding template files and enabling group policies, see the Group Policy Guide. After you enable the policy, it takes effect at the next group policy update interval. To have the policy applied immediately, run the adgpdupdate command.

Using the XML template group policy

If you use the XML group policy template to enable FIPS mode, the policy verifies that each computer is joined to a domain at the domain functional level Windows Server 2008, or later. If a domain controller does not meet this minimum domain functional level, the policy issues a warning that allows you to skip enabling of FIPS mode for that computer.

The XML group policy template also verifies all computers to which the policy applies are running a supported operating system. On the computers that are running a supported operating system, the policy sets the fips.mode.enable configuration parameter to true and automatically stops and restarts the adclient process. After the restart, the computers where the policy was applied are FIPS-compliant.

If the computer is not running a supported platform, the XML policy leaves the fips.mode.enable configuration parameter set to false, and does not stop and restart adclient. The computer remains joined and the current encryption and hashing algorithms remain in force.

Modifying the agent configuration file

The Centrify “Use FIPS compliant algorithms for encryption, hashing and signing” group policy sets the fips.mode.enable parameter in the Centrify configuration file to true. By default, this parameter is set to false until the group policy is applied and the computer is updated at the next group policy update interval. You can also manually modify this parameter setting directly in the agent configuration file (centrifydc.conf), then restart the adclient process to enable FIPS mode. In most cases, however, you should use the group policy to set the configuration parameter to enable FIPS mode rather than manually editing the fips.mode.enable parameter on individual computers.

Applying the group policy to a domain

In most cases, you should apply the “Use FIPS compliant algorithms for encryption, hashing and signing” group policy to a Windows Server 2008, or later, domain to enable FIPS mode. If the group policy is applied to the domain, then the computer will be enabled for FIPS mode automatically when it joins the domain.