achieving federal desktop core configuration compliance ... · achieving federal desktop core...
TRANSCRIPT
May 2009
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
WP-EN-05-28-09
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
�
What Is ItThe Federal Desktop Core Configuration (FDCC) is
an Office of Management and Budget (OMB) mandat-
ed security configuration set applicable within United
States Federal Government agencies. Private en-
terprises may also choose to utilize this established
framework as a foundation for their own security
configuration baselines. These FDCC guidelines
were developed at the United States National Insti-
tute of Standards and Technology (NIST), based on
collaborative work with the Department of Homeland
Security (DHS), Defense Information Security Agen-
cy (DISA), National Security Agency (NSA), United
States Air Force (USAF) and Microsoft.
Current FDCC specifications exist for the Microsoft
Windows XP and the Microsoft Windows Vista1 op-
erating systems. The idea for FDCC was originally
introduced in March 2007 in OMB Memorandum
07-11, “Implementation of Commonly Accepted Se-
curity Configurations for Windows Operating Sys-
tems”. The goal was to “improve information secu-
rity and reduce overall IT operating costs”2 for all
general-purpose, managed desktops and laptops
utilizing Vista or XP. Systems utilized intermittently
on an agency’s network or employed by govern-
ment contractors are within FDCC’s scope. Outside
of the FDCC’s coverage are embedded computers,
specialized scientific systems, machines for pro-
cess control as well as server systems.
In the June 2007, OMB Memorandum 07-18, and
later in 48 Code of Federal Regulations (CFR) Part
39, the application of the FDCC to government IT
purchases was detailed: “In acquiring information
technology, agencies shall include the appropriate
information technology security policies and re-
quirements, including use of common security con-
figurations available from the National Institute of
Standards and Technology’s Web site…”3
NIST maintains the FDCC configuration checklists
in addition to supplying FDCC reporting and com-
pliance guidance. These checklists are extensible
markup language (XML) documents which utilize the
Security Content Automation Protocol (SCAP) for-
mat to express the individual FDCC requirements.
SCAP incorporates six open security standards4
and defines how these standards are combined to
“enable automated vulnerability management, mea-
surement, and policy compliance”.5 NIST also pro-
vides SCAP test procedures, written in Open Vul-
nerability Assessment Language (OVAL), for use in
tandem with the SCAP checklists.
OMB Memorandum, M-08-22, “Guidance on the Fed-
eral Desktop Core Configuration (FDCC)” highlights
the pivotal role of SCAP in validation. M-08-22 dictates
that “validated tools with FDCC Scanner capability”6 be
utilized to certify FDCC compliance of IT products.
XP Professional with Service Pack SP 2 or SP 3. Vista Business, Vista Enter-
prise, and Vista Ultimate with SP �.
OMB Memorandum 07-��: “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems”
48 CFR Part 39 revised February 28, 2008
The six standards are: Common Vulnerabilities and Exposures (CVE®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Com-
mon Vulnerability Scoring System (CVSS), Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL™)
“SCAP”, NIST Secure Content Automation Protocol Version �.0 Beta document
The certification of a particular vendor’s SCAP-based FDCC Scanner capability is performed by independent laboratories accredited by the NIST.
�.
2.
3.
4.
�.
�.
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
2
Who Has To ComplyAll federal agencies that utilize or plan an upgrade
to either Windows XP or Vista must report compli-
ance. Exceptions to FDCC configuration guidance
may be approved by the specific department or
agency accrediting authority.
The OMB acquisition guidance extended the reach
of FDCC to information system providers to ensure
and certify that supplied systems operate effec-
tively using the common security configurations.
Application vendors, in particular, must ensure that
their products do not alter the required security
configurations. The government application provid-
er must self-assert the versions of their software
which are compatible with the FDCC requirements.
Each individual federal CIO must ensure that this
self-assertion is completed by the relevant applica-
tion providers.
Both private industry and government entities must
utilize SCAP-validated tools with FDCC Scanner
capabilities throughout their certification process.
Federal Information Security Management Act
(FISMA) guidance7 specifies the continued use of
FDCC Scanners and FDCC compliance attestation
by agencies to comply with FISMA’s ongoing moni-
toring requirement.
What Are the StandardsThe FDCC XML checklists detail security concerns
identified by Common Vulnerability Enumeration
(CVE), which may be resolved by patching, and
those specified by Common Configuration Enu-
meration (CCE), which may be resolved by con-
figuration setting.
The FDCC specific configuration requirements are
generally based on the “Principle of Least Privi-
lege” restricting user and machine rights.
In addition to the operating system coverage, the
FDCC configuration standards extend to Windows
Internet Explorer, Windows Firewall and Windows
Defender. These specific applications, however,
are not explicitly required. If these applications are
not utilized, the guidance is that the FDCC settings
be leveraged and equivalently extended to the al-
ternative applications.
The FDCC v1.2.1.0 configuration guidance may
be grouped into several categories, each address-
ing a different area of security. The following table
highlights these high level categories and repre-
sentative, though not complete, set of configura-
tion items.
OMB Memorandum M-08-2�, “FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management”7.
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
3
Account, Logon, and User Policy Event, Audit and Log Policy
Account Lockout Account lockout duration and threshold
Password Minimum password age and length
Password complexity
Power Management Password prompt on resume from hibernate / suspend
Account Configurations
Rename administrator and guest account
User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
Elevation of signed and validated executables
User Rights AssignmentBackup files and directories
System time and time zone change
Take ownership of files / objects
Interactive LogonRequire CTRL+ALT+DELETE
Require smart card
System Logon
Control Panel / DisplayScreen Saver password protect and timeout
»•
»•
•
»•
•
•
»•
•
»•
•
•
»•
•
»
»•
Audit PolicyDirectory service and object access
Privilege use
Process tracking
Audit Configurations Audit the access of global system objects
Audit the use of Backup and Restore privilege
Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Shut down system immediately if unable to log security audits
Event LogMaximum application, security and system log size
Retention method for application, security and system log
Event Log Service\SystemMaximum Application, Setup and System Log Size (KB)
Error Reporting
Vista Audit Policy47 individual control settings
»•
•
•
»•
•
•
•
»•
•
»•
»
»•
Continued »
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
4
Domain Policy System Services and Components
Domain controller Allow server operators to schedule tasks
LDAP server signing requirements
Digitally encrypt / sign secure channel data
Domain member Maximum machine account password age
Require strong (Windows 2000 or later) session key
Group PolicyInternet Explorer Maintenance policy processing
Registry policy processing
»•
•
•
»•
•
»•
•
Service control over the use and instantiation of ser-
vices such as Background Intelligent Transfer Ser-
vice (BITS), Messenger, Remote Access Connection
Manager, Terminal Services, Wireless Zero Configu-
ration and WLAN AutoConfig.
Internet Information ServicesIIS installation
Windows ComponentsHeap termination on corruption behavior
Prevent Automatic Updates
Prevent Desktop Shortcut Creation
Turn Off User Installed Windows Sidebar Gadgets
Notify antivirus programs when opening attachments
Component Updates
»•
»•
•
•
•
•
»
Continued »
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
�
Network Security Internet Explorer
IPv6 tunnelingDisable ISATAP, Teredo, and IPv6 to IPv4 tunneling protocols
Microsoft network clientDigitally sign communications
Microsoft network server Idle time before session suspension
Digitally sign communications
Disconnect clients when logon hours expire
Protocol BehaviorAutomatic detection of MTU size (possible DoS by an attacker using a small MTU)
Computer visibility from the browse list
SYN attack protection level (protects against DoS)
SYN-ACK retransmissions when a connection request is not acknowledged
Network accessAnonymous SID/Name translation
Credential storage or .NET Passports for network authentication
Remotely accessible registry paths
Network Security LAN Manager hash value storage on next password change
Logoff when logon hours expire
LAN Manager authentication level
LDAP client signing requirements
Minimum session security for NTLM SSP based clients and servers
Kerberos Policy
Link-Layer Topology Discovery
Microsoft Peer-to-Peer Networking Services
Network SharingPrevent users from sharing files within their profile.
Network ConnectionsProhibit use of Internet Connection Firewall and Sharing on your DNS domain network
Windows Connect Now
»•
»•
»•
•
•
»•
•
•
•
»•
•
•
»•
•
•
•
•
»
»
»
»•
»•
»
Automation SettingsAutoComplete for forms
Automatic Install of IE components
Do not allow users to enable or disable add-ons
Security ZonesDo not allow users to add/delete sites
Do not allow users to change policies
Browsing History
Internet Control Panel
Software SignaturesCheck for signatures on downloaded programs
ActiveX controlsDownload signed ActiveX controls
Java permissionsScripting of Java applets
ScriptingAllow cut, copy or paste operations from the clipboard via script
Allow script-initiated windows without size or position constraints
.NETRun .NET Framework-reliant components signed with Authenticode
General Security FeaturesUser data persistence
Disable external branding of Internet ExplorerAllow third-party browser extensions
Allow installation of desktop items
Automatic prompting for file downloads
Launching applications and files in an IFRAME
Loose or un-compiled XAML files
Open files based on content, not file extension
»•
•
•
»•
•
»
»
»•
»•
»•
»•
•
»•
»•
»•
•
•
•
•
•
Continued »
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
�
Windows Firewall System Security Options
Protocol configurationICMP exceptions
Local port exceptions
Protect all network connections
Unicast response to multicast or broadcast requests
IPv6 Block of Protocol 41
IPv6 Block of UDP 3544
LoggingLog dropped packets
Logged successful connections
File and printer sharing
»•
•
•
•
•
•
»•
•
»
DCOM
Recovery console
ShutdownClear virtual memory pagefile
System CryptographyStrong key protection for user keys stored on the computer
FIPS compliant algorithm for encryption, hashing, and signing
System objectsDefault owner for objects created by Administrator’s group members
Strengthen default permissions of internal system objects
System settingsUse Certificate Rules on Windows Executables for Software Restriction Policies
ActiveX Installer ServiceApproved Installation Sites for ActiveX Controls
»
»
»•
»•
•
»•
•
»•
»•
PrintingDownloading of print drivers over HTTP
Printing over HTTP
Remote AssistanceOffer Remote Assistance
Solicited Remote Assistance
Turn on session logging
Remote Procedure Call
Credential User InterfaceEnumerate administrator accounts on elevation
Digital LockerDo not allow Digital Locker to run
Game ExplorerTurn off downloading of game information
Internet Help Experience
NetMeetingDisable remote Desktop Sharing
Online AssistanceTurn off Untrusted Content
RSS Feeds
»•
•
»•
•
•
»
»•
»•
»•
»
»•
»•
»
Internet Communication System Device Control
Device InstallationSystem restore point creation when new device driver installed
Windows Error Report upon generic driver installation
Device ConfigurationsAllow undock without having to log on
Format and eject removable media
Users’ printer driver installation permission
Floppy and CD-ROM access to locally logged-on user only
Unsigned driver installation behavior
AutoPlay PoliciesTurn off Autoplay
SystemTurn off Windows Update device driver search prompt
»•
•
»•
•
•
•
•
»•
»•
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
7
The Challenges of Compliance
Vulnerability Management In the NIST supplied, FDCC Major Version 1.2.x
SCAP Content, three patch related xml files for
Windows XP, Vista and Internet Explorer are in-
cluded. Addressing known vulnerabilities in an
interconnected world where point-and-click exploit
frameworks, such as Metasploit, live is a prudent
security practice. Full lifecycle vulnerability man-
agement should be a foundation for any organiza-
tion to help prevent the spread of malware which
is believed to be growing at almost 600% annually
and accelerating according to Gartner.8
Change ControlChange management is a well known IT concern
and its importance is underscored by its presence
within the ITIL9 and COBIT10 standard frameworks.
Even further, “Research has shown that as much
as 80% of system unavailability is caused by incor-
rectly applied change. This includes changes made
at unauthorized times or without approved change
tickets, and can also include approved changes
that are not properly executed.” 11
Agencies are responsible to ensure continuing
compliance as systems change over time per the
reporting requirements of FISMA. As new com-
puting platforms are introduced or as new vendor
applications are incorporated into each agency’s
network, processes and policies must be in place
to guarantee ongoing FDCC compliance.
System Security ManagementAssessment, facilitated through the use of FDCC
scanners, to detect variance between the FDCC
standards and the actual system configuration is
only a portion of the compliance process. NIST’s
FDCC technical website maintains several tools to
help agencies not only detect but maintain compli-
ant systems. These include SCAP content files,
Microsoft Virtual Hard Disk (VHD) and Group Policy
Object (GPO) files. Group Policy provides an excel-
lent mechanism for ensuring the majority of FDCC
settings align to the managed system requirements
for many deployment scenarios. Microsoft has also
published a tool which allows the NIST supplied
GPOs to be applied to the local group policy of ma-
chine for stand-alone systems.12
There are a small number of settings, however, for
which SCAP content does not exist or which can-
not be implemented through GPOs.13 Additionally,
the FDCC settings include machine as well as user
settings and “it’s exceedingly difficult to determine
whether user settings... are configured correctly”
by automated scanners.14 Agencies and software
providers must be certain to account for these con-
siderations in their compliance efforts.
By addressing known configuration and software patch
vulnerabilities, organizations go a long way in reducing
risk as “over 90% of cyber attacks exploit known secu-
rity flaws for which a remediation is available”.15
Gartner, Inc. Peter Firstbrook, Securing the Endpoint in 20�8
Information Technology Infrastructure Library
Control Objectives for Information and related Technology
Network World, “Change control minimizes outages”
by Jay Vaishnav
8.
9.
�0.
��.
http://blogs.technet.com/fdcc/archive/2007/�2/24/set-lgpo-utility-to-apply-settings-to-lo-
cal-group-policy.aspx
For example Vista’s control of the IPv� tunneling protocols is not managed through GPOs.
NIST’s FDCC FAQ.
Gartner, Inc.
�2.
�3.
�4.
��.
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
8
How Lumension HelpsLumension’s solution portfolio addresses FDCC com-
pliance challenges by delivering a certified FDCC
Scanner module integrated within a complete vulner-
ability management solution to provide FDCC compli-
ance tools easily deployable by government agencies
or government software providers. Lumension meets
FDCC compliance needs through:
An SCAP Validated FDCC Scanner and
Authenticated Configuration Scanner solution to
assess and determine compliance of targeted
systems
»
Flexible content creation tools facilitating script
driven configuration remediation
Extensive software vulnerability assessment
capabilities and comprehensive reporting
facilitated through agent-based, real-time status
communication
Vulnerability remediation seamlessly integrated
with the assessment solution to provide a complete
full cycle vulnerability management solution
»
»
»
Continued »
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
9
winxp
cpe-dictionary
cpe-oval
oval
patches
xccdf
xpfirewall
cpe-dictionary
cpe-oval
oval
xccdf
winvista
cpe-dictionary
cpe-oval
oval
patches
xccdf
vistafirewall
cpe-dictionary
cpe-oval
oval
xccdf
ie7
cpe-dictionary
cpe-oval
oval
patches
xccdf
FDCC XML Checklist
Lumension Solution
Lumension® Security Configuration Management provides organizations with
a superior solution for their SCAP-validated FDCC scanner needs. Lumension
Security Configuration Management demonstrates great flexibility in its ability to
meet a variety of architectural and organizational constraints by providing both a
network-based (agent-less) as well as an agent-based FDCC scanning solution.
Lumension Security Configuration Management is highly scalable and allows
the assessment and review of configuration results from multiple remote engines
utilizing a single console. Further, the SCAP compliance assessment results may
be exported to the NIST-specified Extensible Configuration Checklist Descrip-
tion Format (XCCDF), facilitating seamless reporting. Operations are facilitated
through the Policy Compliance Dashboard which provides the capability to view
compliance status and identify issues across the entire network.
For those private organizations wishing to adapt FDCC to create baseline policy,
Lumension Security Configuration Management offers the ability to define, edit
and import/export security configuration policies which utilize the well-defined
SCAP standards in addition to the NIST issued FDCC XML checklists.
Lumension® Content Wizard also provides a mechanism to address the small
number of FDCC configuration items which are impossible to manage through
GPOs providing a more complete FDCC compliance solution.
An organization may gain insight into its compliance efforts over time by utilizing
Lumension Reporting and Compliance, which provides composite views through
compilations such as the Compliance Trend Report.
Lumension® Vulnerability
Management
Lumension® Reporting and
Compliance
How Lumension Helps
winxp
patches
winvista
patches
ie7
patches
In addition to leveraging Lumension Security Configuration Management to iden-
tify software version mismatch to FDCC requirements, Lumension® Patch and
Remediation provides intelligent patch and remediation to address the patch defi-
ciencies. This integrated capability reduces risk and brings systems into a state of
compliance without the need for additional software solutions. This same solution
can also solve other IT operational and secure development lifecycle issues
through Lumension Content Wizard, which supplies agile custom patch creation
capabilities allowing an organization to address third party or in-house developed
application vulnerabilities.
Lumension Reporting and Compliance enables comprehensive reporting which
encompasses the FDCC vulnerabilities and further provides a holistic view of
network-wide risk across diverse distributed systems.
Lumension Vulnerability
Management
Lumension Reporting and
Compliance
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
�0
Compliance TimelineThe initial deadline for government agency reporting
under FDCC was March 31, 2008. The only ongoing
FDCC reporting requirement is dictated by the stan-
dard FISMA reporting guidance which specifies each
agency:
“Indicate which aspects of Federal Desktop Core
Configuration (FDCC) have been implemented as
of this report:
Agency has adopted and implemented FDCC
standard configurations and has documented de-
viations. Yes or No.
New Federal Acquisition Regulation 2007-004
language, which modified “Part 39—Acquisition
of Information Technology,” is included in all con-
tracts related to common security settings. Yes or
No.16
All Windows XP and VISTA computing systems
have implemented the FDCC security settings.
Yes or No.”
The acquisition regulation language thereby contin-
ues to require IT application vendors with a continuing
need to certify their applications as FDCC compliant.
»
Financial ImplicationsFDCC financial penalties for individual federal govern-
ment agencies represent an inefficient cycle which
would simply shuffle funds from one federal coffer to
another. To date, several agencies have been slow
to adopt or meet the FDCC guidelines. The financial
implications of non-compliance for the US government
and its citizens arise from a potentially greater risk of
sensitive data leakage.
For software providers wishing to do business with
federal agencies, FDCC compliance implications will
be to the terms dictated by the individually negotiated
contracts and the risk to the provider’s business it-
self.
OMB Memorandum M-08-2�, “FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management”��.
Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions
��
About LumensionLumension, a global leader in operational endpoint
security, develops, integrates and markets secu-
rity software solutions that help businesses pro-
tect their vital information and manage critical risk
across network and endpoint assets.
Lumension enables more than 5,100 customers
worldwide to achieve optimal security and IT suc-
cess by delivering a proven and award-winning so-
lution portfolio that includes Vulnerability Manage-
ment, Endpoint Protection, Data Protection, and
Reporting and Compliance offerings. Lumension
is known for providing world-class customer sup-
port and services 24x7, 365 days a year.
Headquartered in Scottsdale, Arizona, Lumension
has operations worldwide, including Virginia, Flori-
da, Luxembourg, the United Kingdom, Spain, Aus-
tralia, India, Hong Kong and Singapore. Lumension:
IT Secured. Success Optimized. More information
can be found at www.lumension.com.
Global Headquarters
15580 N. Greenway-Hayden Loop, Suite 100
Scottsdale, AZ 85260 USA
phone: +1.888.725.7828
fax: +1.480.970.6323
www.lumension.comVulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
Additional Research
Podcast - Endpoint Security Best Practices for Complying with FDCC Standards
Manage Your Critical Risk Today
FREE
with Lumension ® Vulnerability Management
Whitepaper - FDCC: Achieving Compliance with the Lowest Total Cost of Ownership
Key Steps to Ensuring FDCC Compliance
applicationsIdentify unwanted
FREEwith Lumension ® Application Scanner
security postureAssess your
FREEwith Lumension ® Vulnerability Scanner