PC Lockdown in the Government and Beyond - Page 2

By Cameron Sturdevant  |  Posted 2008-01-13 Print this article Print

The bottom line is that the government is creating a standard way for applications and computer systems to communicate configuration information.

Commercial applications already use SCAP in the PCI (Payment Card Industry) Data Security Standard audits. This is because PCI-authorized scanning services must use the National Vulnerability Database provided by NIST.

The ability to consume SCAP information is already appearing in other commercial IT management products from a range of vendors. Federal agencies can use scanning tools to collect security and configuration information and report compliance from those vendors.

NIST officials expected that several testing labs would be accredited to validate FDCC scanning tools. A number of vendors, including BigFix, ConfigureSoft, McAfee, nCircle and Symantec, have already self-certified that they can consume SCAP data streams in at least three areas required by the FDCC and are listed as compliant vendors on the NIST Web site.

The FDCC is focused on Windows XP and Vista configuration in federal agencies. The FDCC calls for organizations to use Microsoft's Group Policy to put in place and demonstrate compliance with sensible configuration defaults, such as turning wireless network access off by default.

NIST also provides a GPO that offers templates that can be applied to computers and users. NIST advises-and I concur-that the Group Policy templates they provide should not be applied to production environments until after diligent testing to ensure the restrictive policies won't interfere with business processes and applications.

Other FDCC requirements govern a wide range of configuration settings, many concerned with passwords. Changing default accounts is a big part of the FDCC checklists and there are extensive rules around password use. For example, the FDCC mandates that passwords have a minimum length of 12 characters.

I tried the model FDCC Windows XP virtual machine and found that small and midsize organizations could benefit from using the template as a beginning for building a standard image.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel