Organizations that already have a stable, secure image for desktop and laptop computers can ignore this story. Everyone else can now implement the Federal Desktop Core Configuration for Windows XP and Vista, which provides a good framework for ensuring secure civilian desktop and laptop configurations.
In particular, IT managers at small and midsize organizations can use the freely available checklists, model Windows GPO (Group Policy Objects) and reference virtual machine images that the NIST (National Institute of Standards and Technology) has provided for Windows XP and Vista to create their own standard, secure desktop and laptop configurations.
The Office of Management and Budget has mandated that by Feb. 1 all federal agencies using Windows XP and Vista adopt the standard security configurations developed by NIST, the Department of Defense and the Department of Homeland Security as part of FDCC.
The requirement also applies to the Windows XP and Vista firewalls, and Internet Explorer 7. In a nutshell, the FDCC provides organizations with guidelines for implementing standard, secure and assessable operating system and application configurations, in an effort to reduce the attack surfaces of the Windows-based desktop and laptop systems that inhabit federal networks.
While the FDCC is currently limited to improving threat resistance and compliance reporting for XP, Vista and Internet Explorer 7, expect the guidelines to spur the adoption of configuration and scanning standards that impact a broader set of applications. The OMB has yet to mandate Apple, Red Hat and Sun Microsystems operating systems, but NIST is working with these vendors to incorporate their systems.
Aside from Apple, the systems are primarily server operating systems. The FDCC does not apply to Windows systems when they are used as servers. It’s likely that the Security Content Automation Protocol-or SCAP, pronounced “S-CAP”-will eventually extend vulnerability and configuration management to server operating systems.
The NIST-developed SCAP is the technical glue holding the FDCC effort together. SCAP content is security checklist data that is communicated in in XML formats and provides data about vulnerability, configuration, compliance and asset information in Extensible Configuration Checklist Description Format and Open Vulnerability and Assessment Language.
PC Lockdown in the Government and Beyond – Page 2
The bottom line is that the government is creating a standard way for applications and computer systems to communicate configuration information.
Commercial applications already use SCAP in the PCI (Payment Card Industry) Data Security Standard audits. This is because PCI-authorized scanning services must use the National Vulnerability Database provided by NIST.
The ability to consume SCAP information is already appearing in other commercial IT management products from a range of vendors. Federal agencies can use scanning tools to collect security and configuration information and report compliance from those vendors.
NIST officials expected that several testing labs would be accredited to validate FDCC scanning tools. A number of vendors, including BigFix, ConfigureSoft, McAfee, nCircle and Symantec, have already self-certified that they can consume SCAP data streams in at least three areas required by the FDCC and are listed as compliant vendors on the NIST Web site.
The FDCC is focused on Windows XP and Vista configuration in federal agencies. The FDCC calls for organizations to use Microsoft’s Group Policy to put in place and demonstrate compliance with sensible configuration defaults, such as turning wireless network access off by default.
NIST also provides a GPO that offers templates that can be applied to computers and users. NIST advises-and I concur-that the Group Policy templates they provide should not be applied to production environments until after diligent testing to ensure the restrictive policies won’t interfere with business processes and applications.
Other FDCC requirements govern a wide range of configuration settings, many concerned with passwords. Changing default accounts is a big part of the FDCC checklists and there are extensive rules around password use. For example, the FDCC mandates that passwords have a minimum length of 12 characters.
I tried the model FDCC Windows XP virtual machine and found that small and midsize organizations could benefit from using the template as a beginning for building a standard image.
PC Lockdown in the Government and Beyond – Page 3
The FDCC is just a starting point, however. For example, the reference model has disabled the guest access account. IT administrators should use the guidance that eWeek has advocated for years-lock down the standard desktop image so that users have the least amount of privileges needed for authorized business applications.
SCAP will likely have a major impact on both vulnerability and configuration management tools, as well as on application makers. The FDCC already requires federal agencies to acquire software validated to not change registry and other configuration settings during the installation process.
With applications required to leave system components alone and with scanning tools standardized on reading vulnerability and configuration information from a standard protocol, IT managers likely will be able to focus on selecting applications for business function without as much uncertainty about security risks the application will introduce.
FDCC requirements are a good starting point for organizations, but they are no substitute for a solid IT plan for a standard desktop and laptop configuration that meets business needs. I talked with several eWeek Corporate Partners, our advisers on IT field practice, after using the FDCC base-line Windows XP configuration. They agreed that the FDCC was a good concept but said they already had standard, approved configurations and wouldn’t be implementing the FDCC in their organizations.
A couple of the Corporate Partners interviewed are in large commercial organizations that are already subject to some regulation. For IT managers in SMBs, I recommend starting with selling top management on the idea of a single-or a very small number of-standard images that lock out administrative privilege.
The FDCC requirements were developed with a restricted security mission and a user community that is accustomed to being given directives. Commercial IT managers should consider that some of the FDCC settings may be too restrictive for practical implementation in a commercial organization. For example, many of the password policies that can be enforced in an organization that uses security clearances will be too costly to implement for a commercial organization.
The NIST checklists are freely accessible, and, since the money has already been spent, savvy IT managers would do well to consider the recommendations for ways to standardize and secure today’s user systems.