Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Networking

    PC Lockdown in the Government and Beyond

    By
    Cameron Sturdevant
    -
    January 13, 2008
    Share
    Facebook
    Twitter
    Linkedin

      Organizations that already have a stable, secure image for desktop and laptop computers can ignore this story. Everyone else can now implement the Federal Desktop Core Configuration for Windows XP and Vista, which provides a good framework for ensuring secure civilian desktop and laptop configurations.

      In particular, IT managers at small and midsize organizations can use the freely available checklists, model Windows GPO (Group Policy Objects) and reference virtual machine images that the NIST (National Institute of Standards and Technology) has provided for Windows XP and Vista to create their own standard, secure desktop and laptop configurations.

      The Office of Management and Budget has mandated that by Feb. 1 all federal agencies using Windows XP and Vista adopt the standard security configurations developed by NIST, the Department of Defense and the Department of Homeland Security as part of FDCC.

      The requirement also applies to the Windows XP and Vista firewalls, and Internet Explorer 7. In a nutshell, the FDCC provides organizations with guidelines for implementing standard, secure and assessable operating system and application configurations, in an effort to reduce the attack surfaces of the Windows-based desktop and laptop systems that inhabit federal networks.

      While the FDCC is currently limited to improving threat resistance and compliance reporting for XP, Vista and Internet Explorer 7, expect the guidelines to spur the adoption of configuration and scanning standards that impact a broader set of applications. The OMB has yet to mandate Apple, Red Hat and Sun Microsystems operating systems, but NIST is working with these vendors to incorporate their systems.

      Aside from Apple, the systems are primarily server operating systems. The FDCC does not apply to Windows systems when they are used as servers. It’s likely that the Security Content Automation Protocol-or SCAP, pronounced “S-CAP”-will eventually extend vulnerability and configuration management to server operating systems.

      The NIST-developed SCAP is the technical glue holding the FDCC effort together. SCAP content is security checklist data that is communicated in in XML formats and provides data about vulnerability, configuration, compliance and asset information in Extensible Configuration Checklist Description Format and Open Vulnerability and Assessment Language.

      PC Lockdown in the Government and Beyond – Page 2

      The bottom line is that the government is creating a standard way for applications and computer systems to communicate configuration information.

      Commercial applications already use SCAP in the PCI (Payment Card Industry) Data Security Standard audits. This is because PCI-authorized scanning services must use the National Vulnerability Database provided by NIST.

      The ability to consume SCAP information is already appearing in other commercial IT management products from a range of vendors. Federal agencies can use scanning tools to collect security and configuration information and report compliance from those vendors.

      NIST officials expected that several testing labs would be accredited to validate FDCC scanning tools. A number of vendors, including BigFix, ConfigureSoft, McAfee, nCircle and Symantec, have already self-certified that they can consume SCAP data streams in at least three areas required by the FDCC and are listed as compliant vendors on the NIST Web site.

      The FDCC is focused on Windows XP and Vista configuration in federal agencies. The FDCC calls for organizations to use Microsoft’s Group Policy to put in place and demonstrate compliance with sensible configuration defaults, such as turning wireless network access off by default.

      NIST also provides a GPO that offers templates that can be applied to computers and users. NIST advises-and I concur-that the Group Policy templates they provide should not be applied to production environments until after diligent testing to ensure the restrictive policies won’t interfere with business processes and applications.

      Other FDCC requirements govern a wide range of configuration settings, many concerned with passwords. Changing default accounts is a big part of the FDCC checklists and there are extensive rules around password use. For example, the FDCC mandates that passwords have a minimum length of 12 characters.

      I tried the model FDCC Windows XP virtual machine and found that small and midsize organizations could benefit from using the template as a beginning for building a standard image.

      PC Lockdown in the Government and Beyond – Page 3

      The FDCC is just a starting point, however. For example, the reference model has disabled the guest access account. IT administrators should use the guidance that eWeek has advocated for years-lock down the standard desktop image so that users have the least amount of privileges needed for authorized business applications.

      SCAP will likely have a major impact on both vulnerability and configuration management tools, as well as on application makers. The FDCC already requires federal agencies to acquire software validated to not change registry and other configuration settings during the installation process.

      With applications required to leave system components alone and with scanning tools standardized on reading vulnerability and configuration information from a standard protocol, IT managers likely will be able to focus on selecting applications for business function without as much uncertainty about security risks the application will introduce.

      FDCC requirements are a good starting point for organizations, but they are no substitute for a solid IT plan for a standard desktop and laptop configuration that meets business needs. I talked with several eWeek Corporate Partners, our advisers on IT field practice, after using the FDCC base-line Windows XP configuration. They agreed that the FDCC was a good concept but said they already had standard, approved configurations and wouldn’t be implementing the FDCC in their organizations.

      A couple of the Corporate Partners interviewed are in large commercial organizations that are already subject to some regulation. For IT managers in SMBs, I recommend starting with selling top management on the idea of a single-or a very small number of-standard images that lock out administrative privilege.

      The FDCC requirements were developed with a restricted security mission and a user community that is accustomed to being given directives. Commercial IT managers should consider that some of the FDCC settings may be too restrictive for practical implementation in a commercial organization. For example, many of the password policies that can be enforced in an organization that uses security clearances will be too costly to implement for a commercial organization.

      The NIST checklists are freely accessible, and, since the money has already been spent, savvy IT managers would do well to consider the recommendations for ways to standardize and secure today’s user systems.

      Cameron Sturdevant
      Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at [email protected]

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×