Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov>
ITL BULLETIN FOR FEBRUARY 2008
FEDERAL DESKTOP CORE CONFIGURATION (FDCC): IMPROVING SECURITY FOR WINDOWS
DESKTOP OPERATING SYSTEMS
Shirley Radack and Karen Scarfone, Editors
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce
The Federal Desktop Core Configuration (FDCC) is a standard security
configuration mandated by the Office of Management and Budget (OMB). The FDCC
currently exists for the Microsoft Windows XP Professional and Windows Vista
Enterprise operating systems. In March 2007, OMB issued policy guidance in a
memorandum to all federal agencies and departments requiring that they develop
plans to adopt the standard security configuration for their Windows XP
Professional (using Service Pack 2) and Vista Enterprise-based systems by
February 1, 2008. The goal of the FDCC is to help federal organizations improve
their information security and reduce the information technology (IT) costs
associated with securing their Windows operating systems.
The FDCC was created by customizing existing security recommendations for
Windows and Internet Explorer 7.0. Specifically, the Windows XP FDCC was based
on Air Force customization of the Specialized Security-Limited Functionality
(SSLF) recommendations in NIST Special Publication 800-68, Guidance for Securing
Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration
Checklist, and Department of Defense (DoD) customization of the recommendations
in the Microsoft Security Guide for Internet Explorer 7.0. The Windows Vista
FDCC was based on DoD customization of the Microsoft Security Guides for Windows
Vista and Internet Explorer 7.0. MicrosoftÂs guide for Vista was produced
through a collaborative effort with the Defense Information Systems Agency
(DISA), the National Security Agency (NSA), and the Information Technology
Laboratory of the National Institute of Standards and Technology (NIST).
NIST provides several types of resources to help agencies understand and
implement FDCC. The NIST FDCC website, located at http://fdcc.nist.gov/,
provides information such as answers to frequently asked questions about the
FDCC, workshop and conference presentations, FDCC settings documentation, and
FDCC-related content and tools. Also, technical questions on FDCC that are not
answered on the NIST FDCC website can be directed via email to a support
capability at fdcc@private
Testing FDCC Settings
Before deploying FDCC in an operational environment, agencies should thoroughly
test certain FDCC settings that may impact system functionality. Examples of
these are running the system as a standard user, requiring the use of Federal
Information Processing Standard (FIPS) 140-2 approved encryption, and installing
drivers that are not digitally signed by Microsoft. Additional information on
potentially problematic settings is available from NISTÂs FDCC web page, which
is located at http://fdcc.nist.gov/.
Resources are available to agencies to assist them in performing FDCC-related
testing. Microsoft has a product called Virtual PC (VPC) that allows users to
run a virtual instance of an operating system (OS) within an already-running
instance of an OS. The virtual instance, also known as a virtual machine, can
utilize the hardware of the computer (e.g., hard drive, Ethernet card, Universal
Serial Bus [USB] ports) in the same way the non-virtual OS does. From the
non-virtual OS, the virtual machine appears as a single, large *.vhd file.
Virtual machines are useful for both laboratory and deployment testing. While
software can be installed on a virtual machine in the same way software is
installed on normal OSs, virtual machines can be discarded and reimplemented
quickly for the purposes of ensuring a pristine testing environment or if
something malfunctioned with the previous virtual machine. Additionally,
multiple virtual machines can be run on a single physical platform to achieve
cost savings.
Microsoft produces virtual machine *.vhd files for FDCC with input from many
federal departments and agencies, including DHS, DISA, OMB, NIST, NSA, and USAF.
These files are published quarterly and can be downloaded from
http://fdcc.nist.gov/download_fdcc.html. Organizations should use these virtual
machine files in test and evaluation environments only; they are not to be used
as deployment images. It is also recommended that before running an FDCC virtual
machine, that antivirus software be installed and configured and that the VPC
networking be set to ÂLocal only or ÂNot connected to help isolate the
virtual machine.
Deploying FDCC Settings
For most organizations, the recommended deployment method for FDCC is to
implement the majority of FDCC settings using group policies as managed with
Microsoft Group Policy Objects (GPO). Approximately 98 percent of all FDCC
settings may be implemented through GPOs. The remaining security settings, such
as the granular audit policy settings for Windows Vista, must be implemented
locally through *.inf, batch, or manual methods. Small organizations may choose
to implement the FDCC settings through local methods only.
Organizations that manage several operating systems through a Group Policy
Management Console (GPMC) can apply GPOs with FDCC settings to specific Windows
operating systems using a Windows Management Instrumentation (WMI) filter (WMI
filtering is only recognized on Windows Vista, Windows XP, and Windows Server
2003). More specifically, create a WMI filter that selects applicable operating
systems, and link that filter to the GPO applicable for those operating systems.
If computers with Windows 2000 or previous Windows operating systems are present
within the enterprise, these computers must be granted exception from the group
policy using the Deny Read and Deny Apply Group Policy settings. Additional
information is available at
http: //nvd.nist.gov/chklst_detail.cfm?config_id=88 and
http: //support.microsoft.com/kb/555253.
Using The Security Content Automation Protocol (SCAP) for FDCC
Another NIST effort that helps to support FDCC is the Security Content
Automation Protocol (SCAP). SCAP is a protocol established by NIST that
encompasses a suite of interoperable and automatable standardized security
components. Because SCAP uses Extensible Markup Language (XML)-based components,
SCAP is simultaneously machine and human-readable. SCAP enables security tools
to automatically perform configuration checks on Windows computers, ensuring
that they maintain the proper security settings throughout the systems life
cycle. To meet the goals set forth in OMB Memorandum M-07-18, security
configuration scanning tools that can use official SCAP content are needed. In
support of this, NIST has established an SCAP Validation Program through the
NIST National Voluntary Laboratory Accreditation Program (NVLAP), so that
independent laboratories can be accredited to perform the testing necessary to
validate that security tools can accurately parse the SCAP content required for
their specific functionality. So far, three laboratories have been accredited
for SCAP Validation and three IT security products have been certified for the
SCAP ÂFDCC Scanner Capability. Additional details on SCAP compliance are
available at http://scap.nist.gov/.
FDCC baselines for Windows XP and Vista are available in SCAP format at
http://fdcc.nist.gov/download_fdcc.html. Through the use of SCAP-compliant tools
and the official FDCC SCAP content, agencies can routinely monitor their systems
to ensure that the FDCC settings have not been altered as the result of patches,
new software installation, or human interaction. The tools compare the deployed
configuration against the official FDCC SCAP content and report on any
discrepancies so that corrective action can be taken. (Some tools also have an
automatic remediation capability.) A small number of FDCC settings cannot be
verified with SCAP at this time; a list of these settings is available from the
main FDCC website, http://fdcc.nist.gov/.
Agencies can use FDCC SCAP content to automate some of their documentation of
technical security controls compliance with the requirements of the Federal
Information Security Management Act (FISMA). The FDCC SCAP content has FISMA
compliance mappings embedded within it, so that SCAP tools can automatically
generate NIST Special Publication (SP) 800-53 assessment and compliance
evidence. Each low-level security configuration check is mapped to the
appropriate high-level NIST SP 800-53 security controls. As NIST SP 800-53A is
finalized, there will be direct linkages, where appropriate, of the assessment
procedures from SP 800-53A to the SCAP automated testing of information system
mechanisms and associated security configuration settings. In addition, the FDCC
SCAP content also contains mappings to other high-level policies, such as DoD
8500 and the Federal Information System Controls Audit Manual (FISCAM), and SCAP
tools may also output those compliance mappings.
Reporting on FDCC Compliance
Per the July 31, 2007, memorandum from OMB to federal CIOs, federal agencies
must use SCAP-validated products to verify that their Windows XP Professional
and Vista Enterprise systems are FDCC-compliant. As an integral part of the
continuous monitoring of systems configured to FDCC, agencies can report their
testing results to NIST. To ensure both the accuracy and consistency of these
results, agencies can use the standardized SCAP XML reporting format. Use of
this format will enable NIST to efficiently collect and organize the results for
analysis and trending over time. NIST will aggregate the results from all
agencies, and will not generally provide direct feedback to each individual
agency concerning their results.
OMB policy recognizes that agencies may determine that settings in the FDCC are
not practical. In the March 20, 2007, memorandum to federal agency Chief
Information Officers (see
http://www.cio.gov/documents/Windows_Common_Security_Configurations.doc), OMB
instructed agencies to provide documentation to NIST of any deviations from the
FDCC and the rationale for doing so. Agencies are to report FDCC compliance
through their CIO hierarchy; an agency or department CIO must report compliance
for that organization. Compliance is expressed in a roll-up numbers of compliant
versus noncompliant computers. For noncompliant computers, CIOs must provide a
representative sample of SCAP-based assessment reports, using the Extensible
Configuration Checklist Description Format (XCCDF) version 1.1.4. The FDCC XML
reporting format is located at
http://nvd.nist.gov/scap/content/fdcc-reporting_20080108.zip. Additional
guidance will be forthcoming. This information should be sent to OMB at
fisma@private with a carbon copy to NIST at fdcc@private by March 31, 2008.
NIST will perform trend analysis on all federal data and present findings to
OMB.
For More Information
The Office of Management and Budget memoranda concerning the implementation of
the FDCC, listed below, are available at:
http://www.whitehouse.gov/omb/memoranda/
OMB Memorandum M-07-11 for the Heads of Department and Agencies; Implementation
of Commonly Accepted Security Configurations for Windows Operating Systems,
March 22, 2007
OMB Memorandum M-07-18 to Chief Information Officers and Chief Acquisition
Officers; Ensuring New Acquisitions Include Common Security Configurations, June
1, 2007
OMB Memorandum for Chief Information Officers; Establishment of Windows XP and
Vista Virtual Machine and Procedures for Adopting the Federal Desktop Core
Configurations, July 31, 2007. See http://www.cio.gov/documents/FDCC_memo.pdf.
Additional information about FDCC is available on NISTÂs web page:
http://fdcc.nist.gov/
For information about NIST standards and guidelines that are referenced in this
bulletin, as well as other security-related publications, see NISTÂs web page:
http://csrc.nist.gov/publications/index.html
Disclaimer Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation or
endorsement by NIST nor does it imply that the products mentioned are
necessarily the best available for the purpose.
Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments