PC Lockdown in the Government and Beyond - PC Lockdown in the Government and Beyond (
Page 2 of 3 )
The bottom line is that the government is creating a standard way
for applications and computer systems to communicate configuration
information.
Commercial applications already use SCAP in the PCI (Payment Card
Industry) Data Security Standard audits. This is because PCI-authorized
scanning services must use the National Vulnerability Database provided
by NIST.
The ability to consume SCAP information is already appearing in
other commercial IT management products from a range of vendors.
Federal agencies can use scanning tools to collect security and
configuration information and report compliance from those vendors.
NIST officials expected that several testing labs would be
accredited to validate FDCC scanning tools. A number of vendors,
including BigFix, ConfigureSoft, McAfee, nCircle and Symantec, have
already self-certified that they can consume SCAP data streams in at
least three areas required by the FDCC and are listed as compliant
vendors on the NIST Web site.
The FDCC is focused on Windows XP and Vista configuration in federal
agencies. The FDCC calls for organizations to use Microsoft’s Group
Policy to put in place and demonstrate compliance with sensible
configuration defaults, such as turning wireless network access off by
default.
NIST also provides a GPO that offers templates that can be applied
to computers and users. NIST advises—and I concur—that the Group Policy
templates they provide should not be applied to production environments
until after diligent testing to ensure the restrictive policies won’t
interfere with business processes and applications.
Other FDCC requirements govern a wide range of configuration
settings, many concerned with passwords. Changing default accounts is a
big part of the FDCC checklists and there are extensive rules around
password use. For example, the FDCC mandates that passwords have a
minimum length of 12 characters.
I tried the model FDCC Windows XP virtual machine and found that
small and midsize organizations could benefit from using the template
as a beginning for building a standard image.
/ 25 
