PC Lockdown in the Government and Beyond

By Cameron Sturdevant  |  Posted 2008-01-13 Print this article Print

New federal regulations for government agencies will have an impact in the commercial space.

Organizations that already have a stable, secure image for desktop and laptop computers can ignore this story. Everyone else can now implement the Federal Desktop Core Configuration for Windows XP and Vista, which provides a good framework for ensuring secure civilian desktop and laptop configurations.

In particular, IT managers at small and midsize organizations can use the freely available checklists, model Windows GPO (Group Policy Objects) and reference virtual machine images that the NIST (National Institute of Standards and Technology) has provided for Windows XP and Vista to create their own standard, secure desktop and laptop configurations.

The Office of Management and Budget has mandated that by Feb. 1 all federal agencies using Windows XP and Vista adopt the standard security configurations developed by NIST, the Department of Defense and the Department of Homeland Security as part of FDCC.

The requirement also applies to the Windows XP and Vista firewalls, and Internet Explorer 7. In a nutshell, the FDCC provides organizations with guidelines for implementing standard, secure and assessable operating system and application configurations, in an effort to reduce the attack surfaces of the Windows-based desktop and laptop systems that inhabit federal networks.

While the FDCC is currently limited to improving threat resistance and compliance reporting for XP, Vista and Internet Explorer 7, expect the guidelines to spur the adoption of configuration and scanning standards that impact a broader set of applications. The OMB has yet to mandate Apple, Red Hat and Sun Microsystems operating systems, but NIST is working with these vendors to incorporate their systems.

Aside from Apple, the systems are primarily server operating systems. The FDCC does not apply to Windows systems when they are used as servers. It's likely that the Security Content Automation Protocol-or SCAP, pronounced "S-CAP"-will eventually extend vulnerability and configuration management to server operating systems.

The NIST-developed SCAP is the technical glue holding the FDCC effort together. SCAP content is security checklist data that is communicated in in XML formats and provides data about vulnerability, configuration, compliance and asset information in Extensible Configuration Checklist Description Format and Open Vulnerability and Assessment Language.

Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel