http://www.gcn.com/print/27_4/45842-1.html
By Joab Jackson and Jason Miller
GCN.com
02/18/08
All roads in the federal government may lead to a standard configuration
for Windows PCs, but those roads cross different terrains. Some agencies
have made significant progress complying with the Federal Desktop Core
Configuration, but others are experiencing considerable challenges, if
the presentations and discussions at a recent FDCC workshop are any
indication.
The Army and Interior Department are among those on track to implement
FDCC across their organizations. But some other agencies have unique
functions and workforce arrangements that pose a challenge to
retrofitting desktops to FDCC, agency officials and industry experts
say.
Moreover, adoption of FDCC could be slow for some agencies because
ensuring that each agency PC complies with Office of Management and
Budget mandates will require 16 checks that must be done by hand, adding
complexity to the process.
Last year, OMB ordered agencies to upgrade their PCs. Those PCs running
Microsoft Windows XP or Windows Vista must conform to FDCC. Authored by
the National Institute of Standards and Technology and National Security
Agency with the help of Microsoft, FDCC is a set of operating system
configurations designed to improve security. The configuration would,
for example, turn off unused services and run users applications in
user, rather than administrator, mode.
By Feb. 1, agencies were to give OMB a summary of the total number of
desktop PCs they have running Microsoft Windows XP and Windows Vista,
along with the total of those that are FDCC-compliant.
By March 31, agencies must submit a technical report to NIST and OMB
about the status of their implementations.
The move to a standard configuration will change the way some employees
work. At the workshop NIST hosted last month, Blair Heiserman, who works
in the agencys Office of the Chief Information Officer, noted that some
NIST employees, being technically inclined, write their own device
drivers. Unsigned drivers are not permitted under FDCC, though Vista
allows administrators to sign drivers.
Jim Donohue, from the Agriculture Departments Office of the CIO, said
many of the agencys laptop PCs are used by field personnel, which could
also pose a challenge to quick compliance.
Because of the peripatetic nature of the field employees jobs, their
laptops are infrequently checked into the network. Some may go as long
as a year between visits.
And because field employees need to install their own software, they are
given administrative rights, which is prohibited under FDCC.
Another challenge is how to address the manual checks of PCs that agency
information technology employees need to perform to comply with FDCC.
Such manual checks can complicate agency efforts to hit OMB deadlines
for reporting FDCC compliance, said Amrit Williams, chief technology
officer at enterprise systems and security management company BigFix.
It puts a lot of burden on the folks who have to generate the reports
and do the assessments, he said. Most people are struggling just to do
the automated stuff. Not only must they scan their environments to
generate a report, but they have to modify the [resulting] reports to
accommodate information coming from these manual checks.
Checking up
Although some companies already offer automated scanning tools, these
tools probably will not be able to execute all the checks required under
FDCC.
Mitre lead information security engineer Andrew Buttner, who spoke at
the NIST workshop, said an FDCC Security Content Automation Protocol
(SCAP) testing team found that 98 percent of the checks needed for FDCC
could be done automatically. However, Windows Vista, Windows XP and
Internet Explorer all had some settings that could only be updated and
checked by hand.
Buttner said Windows XP has a total of 279 FDCC checks and Windows Vista
has 328 FDCC checks. In addition, Internet Explorer 7, which runs on
both operating systems, has an additional 122 FDCC checks.
Of these sets, Windows XP has seven items that need to be checked by
hand, Windows Vista eight, and Internet Explorer one.
The SCAP team is working with Microsoft to find ways to check these
settings automatically.
They are the subject matter experts and hopefully know how to perform
that test, Buttner said. As of today, were still waiting to get those
answers back.
The checks that remain unautomated include those that offer the ability
to check IPv6 settings in the firewall and check some Kerberos settings
with Windows XP and Windows Vista. One in Internet Explorer permits the
browser to install programs automatically.
Until some sort of path to automation is provided, Williams said, the
manual checks will add a level of complexity to all aspects of the FDCC
process, from reporting and assessment to remediation.
How much this affects agencies trying to comply with FDCC is an open
question.
Agencies have two choices, they can do the checks manually or use no
validated SCAP-capable tools and accept some risk, said Peter Mell, who
leads NISTs SCAP project. There are hundreds of settings, but it can be
done. We have a staff member who does it regularly.
Meanwhile, a new Web page hosted by NIST lists products that have been
validated to scan the security configurations of Windows operating
systems on federal PCs.
The scanners use SCAP to check for compliance with the FDCC standards.
So far, three products have been validated under NISTs National
Voluntary Laboratory Accreditation Program. (For more on SCAP, see
GCN.com, Quickfind 966.)
Success stories
There are a fair number of FDCC success stories. Interior has laid the
groundwork to prepare for FDCC, said Bill Corrington, chief technology
officer at Interior.
Implementing FDCC is a particular challenge because of the agencys
federated nature; Interior consists of 13 relatively independent bureaus
and offices.
Each one has its own CIO, its own CTO and its own IT security manager,
he said. The keys to success were planning and communications.
Early last year, the agency convened a joint team from these ranks of
CTOs, CIOs and chief information security officers to develop a plan of
execution. The plan was then presented to executive management and
submitted to OMB.
The agency then assembled a smaller team of technical experts in Windows
and Active Directory to establish a baseline configuration.
We really wanted to have people who knew what they were doing to study
the issue, Corrington said.
The team tested the settings and came up with a set of draft
configurations, which were reviewed by all Interior agencies. We had a
couple of bureaus say they were fine out of the box, and we had a couple
that had 15 or so settings that they had issues with. But it was a
relatively small number, Corrington said.
In some cases, FDCC was even less stringent than the bureaus policies,
so those bureaus could keep the existing settings in place.
Interior will distribute the FDCC configuration through a set of files
that administrators can then install on desktop computers.
For tracking compliance among bureaus, the agency has extended its
process for tracking Federal Information Security Management Act
compliance to also handle FDCC. We wanted to use the existing process
and not use something new, Corrington said.
The Army has more than 800,000 desktop computers that need to be
FDCC-compliant.
Although that is a big job, the service was ahead of the game because of
an existing standardized Windows XP configuration it already put in
place, called the Golden Master program.
Since August 2006, if you have a computer in the Army, you are required
to have the Army Golden Master on your computer, said Amy Harding, who
works in the Army CIO office.
Because the Golden Master image was based on Microsoft, NIST and Defense
Information Systems Agency security guidelines, updating them to FDCC
involved relatively few modifications.
The CIOs office released the first FDCC-compliant Golden Master image in
August and plans to update its image as changes in FDCC occur.
For those Army offices that do not want to re-image their computers each
time an update occurs, the program also offers Group Policy Objects
settings that could be passed down to the desktop computers through the
Armys Active Directory structure. The Army is also modifying its
contracts with suppliers to require new desktop computers to have the
Golden Master FDCC versions of the operating systems installed.
However, not all agencies FDCC deployments are as smooth as the
deployments at the Army and Interior.
After the formal presentations, one audience member said agency
officials had a choice: Implement FDCC and take down their entire
network serving 180,000 users or tell the agency secretary that the
agency will get a red score from OMB on this yearlong mandate.
FDCC crashes our system, said the audience member, who did not identify
the agency. OMBs initial assumption is wrong that you can apply the FDCC
without breaking your system.
Wendy Liberante, OMBs policy analyst heading the FDCC initiative, gave
an impromptu talk at the workshop, to clarify what OMB wanted for the
Feb. 1 deadline. If you are not compliant, we want to know how far off
you are, Liberante said. We want agencies to understand their universe
and have a plan to get to FDCC compliance.
She also emphasized that when agencies submit their detailed technical
reports to NIST and OMB, which are due March 31, they are not to
consider deviations they disclose to be waivers.
Rather, the deviations are issues that NIST and OMB will work through to
see if they are true problems or something that can be fixed.
William Jackson contributed to this story.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments