PC Lockdown in the Government and Beyond - Page 3

By Cameron Sturdevant  |  Posted 2008-01-13 Print this article Print

The FDCC is just a starting point, however. For example, the reference model has disabled the guest access account. IT administrators should use the guidance that eWeek has advocated for years-lock down the standard desktop image so that users have the least amount of privileges needed for authorized business applications.

SCAP will likely have a major impact on both vulnerability and configuration management tools, as well as on application makers. The FDCC already requires federal agencies to acquire software validated to not change registry and other configuration settings during the installation process.

With applications required to leave system components alone and with scanning tools standardized on reading vulnerability and configuration information from a standard protocol, IT managers likely will be able to focus on selecting applications for business function without as much uncertainty about security risks the application will introduce.

FDCC requirements are a good starting point for organizations, but they are no substitute for a solid IT plan for a standard desktop and laptop configuration that meets business needs. I talked with several eWeek Corporate Partners, our advisers on IT field practice, after using the FDCC base-line Windows XP configuration. They agreed that the FDCC was a good concept but said they already had standard, approved configurations and wouldn't be implementing the FDCC in their organizations.

A couple of the Corporate Partners interviewed are in large commercial organizations that are already subject to some regulation. For IT managers in SMBs, I recommend starting with selling top management on the idea of a single-or a very small number of-standard images that lock out administrative privilege.

The FDCC requirements were developed with a restricted security mission and a user community that is accustomed to being given directives. Commercial IT managers should consider that some of the FDCC settings may be too restrictive for practical implementation in a commercial organization. For example, many of the password policies that can be enforced in an organization that uses security clearances will be too costly to implement for a commercial organization.

The NIST checklists are freely accessible, and, since the money has already been spent, savvy IT managers would do well to consider the recommendations for ways to standardize and secure today's user systems.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel