achieving federal desktop core configuration compliance ... achieving federal desktop core...

Download Achieving Federal Desktop Core Configuration Compliance ... Achieving Federal Desktop Core Configuration

Post on 24-Mar-2020




0 download

Embed Size (px)


  • May 2009

    Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions


  • Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

    What Is It The Federal Desktop Core Configuration (FDCC) is

    an Office of Management and Budget (OMB) mandat-

    ed security configuration set applicable within United

    States Federal Government agencies. Private en-

    terprises may also choose to utilize this established

    framework as a foundation for their own security

    configuration baselines. These FDCC guidelines

    were developed at the United States National Insti-

    tute of Standards and Technology (NIST), based on

    collaborative work with the Department of Homeland

    Security (DHS), Defense Information Security Agen-

    cy (DISA), National Security Agency (NSA), United

    States Air Force (USAF) and Microsoft.

    Current FDCC specifications exist for the Microsoft

    Windows XP and the Microsoft Windows Vista1 op-

    erating systems. The idea for FDCC was originally

    introduced in March 2007 in OMB Memorandum

    07-11, “Implementation of Commonly Accepted Se-

    curity Configurations for Windows Operating Sys-

    tems”. The goal was to “improve information secu-

    rity and reduce overall IT operating costs”2 for all

    general-purpose, managed desktops and laptops

    utilizing Vista or XP. Systems utilized intermittently

    on an agency’s network or employed by govern-

    ment contractors are within FDCC’s scope. Outside

    of the FDCC’s coverage are embedded computers,

    specialized scientific systems, machines for pro-

    cess control as well as server systems.

    In the June 2007, OMB Memorandum 07-18, and

    later in 48 Code of Federal Regulations (CFR) Part

    39, the application of the FDCC to government IT

    purchases was detailed: “In acquiring information

    technology, agencies shall include the appropriate

    information technology security policies and re-

    quirements, including use of common security con-

    figurations available from the National Institute of

    Standards and Technology’s Web site…”3

    NIST maintains the FDCC configuration checklists

    in addition to supplying FDCC reporting and com-

    pliance guidance. These checklists are extensible

    markup language (XML) documents which utilize the

    Security Content Automation Protocol (SCAP) for-

    mat to express the individual FDCC requirements.

    SCAP incorporates six open security standards4

    and defines how these standards are combined to

    “enable automated vulnerability management, mea-

    surement, and policy compliance”.5 NIST also pro-

    vides SCAP test procedures, written in Open Vul-

    nerability Assessment Language (OVAL), for use in

    tandem with the SCAP checklists.

    OMB Memorandum, M-08-22, “Guidance on the Fed-

    eral Desktop Core Configuration (FDCC)” highlights

    the pivotal role of SCAP in validation. M-08-22 dictates

    that “validated tools with FDCC Scanner capability”6 be

    utilized to certify FDCC compliance of IT products.

    XP Professional with Service Pack SP 2 or SP 3. Vista Business, Vista Enter-

    prise, and Vista Ultimate with SP �.

    OMB Memorandum 07-��: “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems”

    48 CFR Part 39 revised February 28, 2008

    The six standards are: Common Vulnerabilities and Exposures (CVE®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Com-

    mon Vulnerability Scoring System (CVSS), Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL™)

    “SCAP”, NIST Secure Content Automation Protocol Version �.0 Beta document

    The certification of a particular vendor’s SCAP-based FDCC Scanner capability is performed by independent laboratories accredited by the NIST.







  • Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions


    Who Has To Comply All federal agencies that utilize or plan an upgrade

    to either Windows XP or Vista must report compli-

    ance. Exceptions to FDCC configuration guidance

    may be approved by the specific department or

    agency accrediting authority.

    The OMB acquisition guidance extended the reach

    of FDCC to information system providers to ensure

    and certify that supplied systems operate effec-

    tively using the common security configurations.

    Application vendors, in particular, must ensure that

    their products do not alter the required security

    configurations. The government application provid-

    er must self-assert the versions of their software

    which are compatible with the FDCC requirements.

    Each individual federal CIO must ensure that this

    self-assertion is completed by the relevant applica-

    tion providers.

    Both private industry and government entities must

    utilize SCAP-validated tools with FDCC Scanner

    capabilities throughout their certification process.

    Federal Information Security Management Act

    (FISMA) guidance7 specifies the continued use of

    FDCC Scanners and FDCC compliance attestation

    by agencies to comply with FISMA’s ongoing moni-

    toring requirement.

    What Are the Standards The FDCC XML checklists detail security concerns

    identified by Common Vulnerability Enumeration

    (CVE), which may be resolved by patching, and

    those specified by Common Configuration Enu-

    meration (CCE), which may be resolved by con-

    figuration setting.

    The FDCC specific configuration requirements are

    generally based on the “Principle of Least Privi-

    lege” restricting user and machine rights.

    In addition to the operating system coverage, the

    FDCC configuration standards extend to Windows

    Internet Explorer, Windows Firewall and Windows

    Defender. These specific applications, however,

    are not explicitly required. If these applications are

    not utilized, the guidance is that the FDCC settings

    be leveraged and equivalently extended to the al-

    ternative applications.

    The FDCC v1.2.1.0 configuration guidance may

    be grouped into several categories, each address-

    ing a different area of security. The following table

    highlights these high level categories and repre-

    sentative, though not complete, set of configura-

    tion items.

    OMB Memorandum M-08-2�, “FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management”7.

  • Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions


    Account, Logon, and User Policy Event, Audit and Log Policy

    Account Lockout Account lockout duration and threshold

    Password Minimum password age and length

    Password complexity

    Power Management Password prompt on resume from hibernate / suspend

    Account Configurations

    Rename administrator and guest account

    User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode

    Elevation of signed and validated executables

    User Rights Assignment Backup files and directories

    System time and time zone change

    Take ownership of files / objects

    Interactive Logon Require CTRL+ALT+DELETE

    Require smart card

    System Logon

    Control Panel / Display Screen Saver password protect and timeout

    » •

    » •

    » •

    » •

    » •

    » •


    » •

    Audit Policy Directory service and object access

    Privilege use

    Process tracking

    Audit Configurations Audit the access of global system objects

    Audit the use of Backup and Restore privilege

    Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    Shut down system immediately if unable to log security audits

    Event Log Maximum application, security and system log size

    Retention method for application, security and system log

    Event Log Service\System Maximum Application, Setup and System Log Size (KB)

    Error Reporting

    Vista Audit Policy 47 individual control settings

    » •

    » •

    » •

    » •

View more