May 2009

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

WP-EN-05-28-09

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

�

What Is ItThe Federal Desktop Core Configuration (FDCC) is

an Office of Management and Budget (OMB) mandat-

ed security configuration set applicable within United

States Federal Government agencies. Private en-

terprises may also choose to utilize this established

framework as a foundation for their own security

configuration baselines. These FDCC guidelines

were developed at the United States National Insti-

tute of Standards and Technology (NIST), based on

collaborative work with the Department of Homeland

Security (DHS), Defense Information Security Agen-

cy (DISA), National Security Agency (NSA), United

States Air Force (USAF) and Microsoft.

Current FDCC specifications exist for the Microsoft

Windows XP and the Microsoft Windows Vista1 op-

erating systems. The idea for FDCC was originally

introduced in March 2007 in OMB Memorandum

07-11, “Implementation of Commonly Accepted Se-

curity Configurations for Windows Operating Sys-

tems”. The goal was to “improve information secu-

rity and reduce overall IT operating costs”2 for all

general-purpose, managed desktops and laptops

utilizing Vista or XP. Systems utilized intermittently

on an agency’s network or employed by govern-

ment contractors are within FDCC’s scope. Outside

of the FDCC’s coverage are embedded computers,

specialized scientific systems, machines for pro-

cess control as well as server systems.

In the June 2007, OMB Memorandum 07-18, and

later in 48 Code of Federal Regulations (CFR) Part

39, the application of the FDCC to government IT

purchases was detailed: “In acquiring information

technology, agencies shall include the appropriate

information technology security policies and re-

quirements, including use of common security con-

figurations available from the National Institute of

Standards and Technology’s Web site…”3

NIST maintains the FDCC configuration checklists

in addition to supplying FDCC reporting and com-

pliance guidance. These checklists are extensible

markup language (XML) documents which utilize the

Security Content Automation Protocol (SCAP) for-

mat to express the individual FDCC requirements.

SCAP incorporates six open security standards4

and defines how these standards are combined to

“enable automated vulnerability management, mea-

surement, and policy compliance”.5 NIST also pro-

vides SCAP test procedures, written in Open Vul-

nerability Assessment Language (OVAL), for use in

tandem with the SCAP checklists.

OMB Memorandum, M-08-22, “Guidance on the Fed-

eral Desktop Core Configuration (FDCC)” highlights

the pivotal role of SCAP in validation. M-08-22 dictates

that “validated tools with FDCC Scanner capability”6 be

utilized to certify FDCC compliance of IT products.

XP Professional with Service Pack SP 2 or SP 3. Vista Business, Vista Enter-

prise, and Vista Ultimate with SP �.

OMB Memorandum 07-��: “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems”

48 CFR Part 39 revised February 28, 2008

The six standards are: Common Vulnerabilities and Exposures (CVE®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Com-

mon Vulnerability Scoring System (CVSS), Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL™)

“SCAP”, NIST Secure Content Automation Protocol Version �.0 Beta document

The certification of a particular vendor’s SCAP-based FDCC Scanner capability is performed by independent laboratories accredited by the NIST.

�.

2.

3.

4.

�.

�.

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

2

Who Has To ComplyAll federal agencies that utilize or plan an upgrade

to either Windows XP or Vista must report compli-

ance. Exceptions to FDCC configuration guidance

may be approved by the specific department or

agency accrediting authority.

The OMB acquisition guidance extended the reach

of FDCC to information system providers to ensure

and certify that supplied systems operate effec-

tively using the common security configurations.

Application vendors, in particular, must ensure that

their products do not alter the required security

configurations. The government application provid-

er must self-assert the versions of their software

which are compatible with the FDCC requirements.

Each individual federal CIO must ensure that this

self-assertion is completed by the relevant applica-

tion providers.

Both private industry and government entities must

utilize SCAP-validated tools with FDCC Scanner

capabilities throughout their certification process.

Federal Information Security Management Act

(FISMA) guidance7 specifies the continued use of

FDCC Scanners and FDCC compliance attestation

by agencies to comply with FISMA’s ongoing moni-

toring requirement.

What Are the StandardsThe FDCC XML checklists detail security concerns

identified by Common Vulnerability Enumeration

(CVE), which may be resolved by patching, and

those specified by Common Configuration Enu-

meration (CCE), which may be resolved by con-

figuration setting.

The FDCC specific configuration requirements are

generally based on the “Principle of Least Privi-

lege” restricting user and machine rights.

In addition to the operating system coverage, the

FDCC configuration standards extend to Windows

Internet Explorer, Windows Firewall and Windows

Defender. These specific applications, however,

are not explicitly required. If these applications are

not utilized, the guidance is that the FDCC settings

be leveraged and equivalently extended to the al-

ternative applications.

The FDCC v1.2.1.0 configuration guidance may

be grouped into several categories, each address-

ing a different area of security. The following table

highlights these high level categories and repre-

sentative, though not complete, set of configura-

tion items.

OMB Memorandum M-08-2�, “FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management”7.

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

3

Account, Logon, and User Policy Event, Audit and Log Policy

Account Lockout Account lockout duration and threshold

Password Minimum password age and length

Password complexity

Power Management Password prompt on resume from hibernate / suspend

Account Configurations

Rename administrator and guest account

User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode

Elevation of signed and validated executables

User Rights AssignmentBackup files and directories

System time and time zone change

Take ownership of files / objects

Interactive LogonRequire CTRL+ALT+DELETE

Require smart card

System Logon

Control Panel / DisplayScreen Saver password protect and timeout

»•

»•

•

»•

•

•

»•

•

»•

•

•

»•

•

»

»•

Audit PolicyDirectory service and object access

Privilege use

Process tracking

Audit Configurations Audit the access of global system objects

Audit the use of Backup and Restore privilege

Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

Shut down system immediately if unable to log security audits

Event LogMaximum application, security and system log size

Retention method for application, security and system log

Event Log Service\SystemMaximum Application, Setup and System Log Size (KB)

Error Reporting

Vista Audit Policy47 individual control settings

»•

•

•

»•

•

•

•

»•

•

»•

»

»•

Continued »

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

4

Domain Policy System Services and Components

Domain controller Allow server operators to schedule tasks

LDAP server signing requirements

Digitally encrypt / sign secure channel data

Domain member Maximum machine account password age

Require strong (Windows 2000 or later) session key

Group PolicyInternet Explorer Maintenance policy processing

Registry policy processing

»•

•

•

»•

•

»•

•

Service control over the use and instantiation of ser-

vices such as Background Intelligent Transfer Ser-

vice (BITS), Messenger, Remote Access Connection

Manager, Terminal Services, Wireless Zero Configu-

ration and WLAN AutoConfig.

Internet Information ServicesIIS installation

Windows ComponentsHeap termination on corruption behavior

Prevent Automatic Updates

Prevent Desktop Shortcut Creation

Turn Off User Installed Windows Sidebar Gadgets

Notify antivirus programs when opening attachments

Component Updates

»•

»•

•

•

•

•

»

Continued »

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

�

Network Security Internet Explorer

IPv6 tunnelingDisable ISATAP, Teredo, and IPv6 to IPv4 tunneling protocols

Microsoft network clientDigitally sign communications

Microsoft network server Idle time before session suspension

Digitally sign communications

Disconnect clients when logon hours expire

Protocol BehaviorAutomatic detection of MTU size (possible DoS by an attacker using a small MTU)

Computer visibility from the browse list

SYN attack protection level (protects against DoS)

SYN-ACK retransmissions when a connection request is not acknowledged

Network accessAnonymous SID/Name translation

Credential storage or .NET Passports for network authentication

Remotely accessible registry paths

Network Security LAN Manager hash value storage on next password change

Logoff when logon hours expire

LAN Manager authentication level

LDAP client signing requirements

Minimum session security for NTLM SSP based clients and servers

Kerberos Policy

Link-Layer Topology Discovery

Microsoft Peer-to-Peer Networking Services

Network SharingPrevent users from sharing files within their profile.

Network ConnectionsProhibit use of Internet Connection Firewall and Sharing on your DNS domain network

Windows Connect Now

»•

»•

»•

•

•

»•

•

•

•

»•

•

•

»•

•

•

•

•

»

»

»

»•

»•

»

Automation SettingsAutoComplete for forms

Automatic Install of IE components

Do not allow users to enable or disable add-ons

Security ZonesDo not allow users to add/delete sites

Do not allow users to change policies

Browsing History

Internet Control Panel

Software SignaturesCheck for signatures on downloaded programs

ActiveX controlsDownload signed ActiveX controls

Java permissionsScripting of Java applets

ScriptingAllow cut, copy or paste operations from the clipboard via script

Allow script-initiated windows without size or position constraints

.NETRun .NET Framework-reliant components signed with Authenticode

General Security FeaturesUser data persistence

Disable external branding of Internet ExplorerAllow third-party browser extensions

Allow installation of desktop items

Automatic prompting for file downloads

Launching applications and files in an IFRAME

Loose or un-compiled XAML files

Open files based on content, not file extension

»•

•

•

»•

•

»

»

»•

»•

»•

»•

•

»•

»•

»•

•

•

•

•

•

Continued »

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

�

Windows Firewall System Security Options

Protocol configurationICMP exceptions

Local port exceptions

Protect all network connections

Unicast response to multicast or broadcast requests

IPv6 Block of Protocol 41

IPv6 Block of UDP 3544

LoggingLog dropped packets

Logged successful connections

File and printer sharing

»•

•

•

•

•

•

»•

•

»

DCOM

Recovery console

ShutdownClear virtual memory pagefile

System CryptographyStrong key protection for user keys stored on the computer

FIPS compliant algorithm for encryption, hashing, and signing

System objectsDefault owner for objects created by Administrator’s group members

Strengthen default permissions of internal system objects

System settingsUse Certificate Rules on Windows Executables for Software Restriction Policies

ActiveX Installer ServiceApproved Installation Sites for ActiveX Controls

»

»

»•

»•

•

»•

•

»•

»•

PrintingDownloading of print drivers over HTTP

Printing over HTTP

Remote AssistanceOffer Remote Assistance

Solicited Remote Assistance

Turn on session logging

Remote Procedure Call

Credential User InterfaceEnumerate administrator accounts on elevation

Digital LockerDo not allow Digital Locker to run

Game ExplorerTurn off downloading of game information

Internet Help Experience

NetMeetingDisable remote Desktop Sharing

Online AssistanceTurn off Untrusted Content

RSS Feeds

»•

•

»•

•

•

»

»•

»•

»•

»

»•

»•

»

Internet Communication System Device Control

Device InstallationSystem restore point creation when new device driver installed

Windows Error Report upon generic driver installation

Device ConfigurationsAllow undock without having to log on

Format and eject removable media

Users’ printer driver installation permission

Floppy and CD-ROM access to locally logged-on user only

Unsigned driver installation behavior

AutoPlay PoliciesTurn off Autoplay

SystemTurn off Windows Update device driver search prompt

»•

•

»•

•

•

•

•

»•

»•

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

7

The Challenges of Compliance

Vulnerability Management In the NIST supplied, FDCC Major Version 1.2.x

SCAP Content, three patch related xml files for

Windows XP, Vista and Internet Explorer are in-

cluded. Addressing known vulnerabilities in an

interconnected world where point-and-click exploit

frameworks, such as Metasploit, live is a prudent

security practice. Full lifecycle vulnerability man-

agement should be a foundation for any organiza-

tion to help prevent the spread of malware which

is believed to be growing at almost 600% annually

and accelerating according to Gartner.8

Change ControlChange management is a well known IT concern

and its importance is underscored by its presence

within the ITIL9 and COBIT10 standard frameworks.

Even further, “Research has shown that as much

as 80% of system unavailability is caused by incor-

rectly applied change. This includes changes made

at unauthorized times or without approved change

tickets, and can also include approved changes

that are not properly executed.” 11

Agencies are responsible to ensure continuing

compliance as systems change over time per the

reporting requirements of FISMA. As new com-

puting platforms are introduced or as new vendor

applications are incorporated into each agency’s

network, processes and policies must be in place

to guarantee ongoing FDCC compliance.

System Security ManagementAssessment, facilitated through the use of FDCC

scanners, to detect variance between the FDCC

standards and the actual system configuration is

only a portion of the compliance process. NIST’s

FDCC technical website maintains several tools to

help agencies not only detect but maintain compli-

ant systems. These include SCAP content files,

Microsoft Virtual Hard Disk (VHD) and Group Policy

Object (GPO) files. Group Policy provides an excel-

lent mechanism for ensuring the majority of FDCC

settings align to the managed system requirements

for many deployment scenarios. Microsoft has also

published a tool which allows the NIST supplied

GPOs to be applied to the local group policy of ma-

chine for stand-alone systems.12

There are a small number of settings, however, for

which SCAP content does not exist or which can-

not be implemented through GPOs.13 Additionally,

the FDCC settings include machine as well as user

settings and “it’s exceedingly difficult to determine

whether user settings... are configured correctly”

by automated scanners.14 Agencies and software

providers must be certain to account for these con-

siderations in their compliance efforts.

By addressing known configuration and software patch

vulnerabilities, organizations go a long way in reducing

risk as “over 90% of cyber attacks exploit known secu-

rity flaws for which a remediation is available”.15

Gartner, Inc. Peter Firstbrook, Securing the Endpoint in 20�8

Information Technology Infrastructure Library

Control Objectives for Information and related Technology

Network World, “Change control minimizes outages”

by Jay Vaishnav

8.

9.

�0.

��.

http://blogs.technet.com/fdcc/archive/2007/�2/24/set-lgpo-utility-to-apply-settings-to-lo-

cal-group-policy.aspx

For example Vista’s control of the IPv� tunneling protocols is not managed through GPOs.

NIST’s FDCC FAQ.

Gartner, Inc.

�2.

�3.

�4.

��.

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

8

How Lumension HelpsLumension’s solution portfolio addresses FDCC com-

pliance challenges by delivering a certified FDCC

Scanner module integrated within a complete vulner-

ability management solution to provide FDCC compli-

ance tools easily deployable by government agencies

or government software providers. Lumension meets

FDCC compliance needs through:

An SCAP Validated FDCC Scanner and

Authenticated Configuration Scanner solution to

assess and determine compliance of targeted

systems

»

Flexible content creation tools facilitating script

driven configuration remediation

Extensive software vulnerability assessment

capabilities and comprehensive reporting

facilitated through agent-based, real-time status

communication

Vulnerability remediation seamlessly integrated

with the assessment solution to provide a complete

full cycle vulnerability management solution

»

»

»

Continued »

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

9

winxp

cpe-dictionary

cpe-oval

oval

patches

xccdf

xpfirewall

cpe-dictionary

cpe-oval

oval

xccdf

winvista

cpe-dictionary

cpe-oval

oval

patches

xccdf

vistafirewall

cpe-dictionary

cpe-oval

oval

xccdf

ie7

cpe-dictionary

cpe-oval

oval

patches

xccdf

FDCC XML Checklist

Lumension Solution

Lumension® Security Configuration Management provides organizations with

a superior solution for their SCAP-validated FDCC scanner needs. Lumension

Security Configuration Management demonstrates great flexibility in its ability to

meet a variety of architectural and organizational constraints by providing both a

network-based (agent-less) as well as an agent-based FDCC scanning solution.

Lumension Security Configuration Management is highly scalable and allows

the assessment and review of configuration results from multiple remote engines

utilizing a single console. Further, the SCAP compliance assessment results may

be exported to the NIST-specified Extensible Configuration Checklist Descrip-

tion Format (XCCDF), facilitating seamless reporting. Operations are facilitated

through the Policy Compliance Dashboard which provides the capability to view

compliance status and identify issues across the entire network.

For those private organizations wishing to adapt FDCC to create baseline policy,

Lumension Security Configuration Management offers the ability to define, edit

and import/export security configuration policies which utilize the well-defined

SCAP standards in addition to the NIST issued FDCC XML checklists.

Lumension® Content Wizard also provides a mechanism to address the small

number of FDCC configuration items which are impossible to manage through

GPOs providing a more complete FDCC compliance solution.

An organization may gain insight into its compliance efforts over time by utilizing

Lumension Reporting and Compliance, which provides composite views through

compilations such as the Compliance Trend Report.

Lumension® Vulnerability

Management

Lumension® Reporting and

Compliance

How Lumension Helps

winxp

patches

winvista

patches

ie7

patches

In addition to leveraging Lumension Security Configuration Management to iden-

tify software version mismatch to FDCC requirements, Lumension® Patch and

Remediation provides intelligent patch and remediation to address the patch defi-

ciencies. This integrated capability reduces risk and brings systems into a state of

compliance without the need for additional software solutions. This same solution

can also solve other IT operational and secure development lifecycle issues

through Lumension Content Wizard, which supplies agile custom patch creation

capabilities allowing an organization to address third party or in-house developed

application vulnerabilities.

Lumension Reporting and Compliance enables comprehensive reporting which

encompasses the FDCC vulnerabilities and further provides a holistic view of

network-wide risk across diverse distributed systems.

Lumension Vulnerability

Management

Lumension Reporting and

Compliance

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

�0

Compliance TimelineThe initial deadline for government agency reporting

under FDCC was March 31, 2008. The only ongoing

FDCC reporting requirement is dictated by the stan-

dard FISMA reporting guidance which specifies each

agency:

“Indicate which aspects of Federal Desktop Core

Configuration (FDCC) have been implemented as

of this report:

Agency has adopted and implemented FDCC

standard configurations and has documented de-

viations. Yes or No.

New Federal Acquisition Regulation 2007-004

language, which modified “Part 39—Acquisition

of Information Technology,” is included in all con-

tracts related to common security settings. Yes or

No.16

All Windows XP and VISTA computing systems

have implemented the FDCC security settings.

Yes or No.”

The acquisition regulation language thereby contin-

ues to require IT application vendors with a continuing

need to certify their applications as FDCC compliant.

»

Financial ImplicationsFDCC financial penalties for individual federal govern-

ment agencies represent an inefficient cycle which

would simply shuffle funds from one federal coffer to

another. To date, several agencies have been slow

to adopt or meet the FDCC guidelines. The financial

implications of non-compliance for the US government

and its citizens arise from a potentially greater risk of

sensitive data leakage.

For software providers wishing to do business with

federal agencies, FDCC compliance implications will

be to the terms dictated by the individually negotiated

contracts and the risk to the provider’s business it-

self.

OMB Memorandum M-08-2�, “FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management”��.

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions

��

About LumensionLumension, a global leader in operational endpoint

security, develops, integrates and markets secu-

rity software solutions that help businesses pro-

tect their vital information and manage critical risk

across network and endpoint assets.

Lumension enables more than 5,100 customers

worldwide to achieve optimal security and IT suc-

cess by delivering a proven and award-winning so-

lution portfolio that includes Vulnerability Manage-

ment, Endpoint Protection, Data Protection, and

Reporting and Compliance offerings. Lumension

is known for providing world-class customer sup-

port and services 24x7, 365 days a year.

Headquartered in Scottsdale, Arizona, Lumension

has operations worldwide, including Virginia, Flori-

da, Luxembourg, the United Kingdom, Spain, Aus-

tralia, India, Hong Kong and Singapore. Lumension:

IT Secured. Success Optimized. More information

can be found at www.lumension.com.

Global Headquarters

15580 N. Greenway-Hayden Loop, Suite 100

Scottsdale, AZ 85260 USA

phone: +1.888.725.7828

fax: +1.480.970.6323

www.lumension.comVulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Additional Research

Podcast - Endpoint Security Best Practices for Complying with FDCC Standards

Manage Your Critical Risk Today

FREE

with Lumension ® Vulnerability Management

Whitepaper - FDCC: Achieving Compliance with the Lowest Total Cost of Ownership

Key Steps to Ensuring FDCC Compliance

applicationsIdentify unwanted

FREEwith Lumension ® Application Scanner

security postureAssess your

FREEwith Lumension ® Vulnerability Scanner