Example: air traffic controller

Achieving Federal Desktop Core Configuration Compliance ...

May 2009 Achieving Federal Desktop core Configuration Compliance with Lumension SolutionsWP-EN- 05 -28 - 09 Achieving Federal Desktop core Configuration Compliance with Lumension Solutions What Is ItThe Federal Desktop core Configuration (FDCC) is an Office of Management and Budget (OMB) mandat-ed security Configuration set applicable within United States Federal Government agencies. Private en-terprises may also choose to utilize this established framework as a foundation for their own security Configuration baselines. These FDCC guidelines were developed at the United States National Insti-tute of Standards and Technology (NIST), based on collaborative work with the Department of Homeland Security (DHS), Defense Information Security Agen-cy (DISA), National Security Agency (NSA), United States Air Force (USAF) and FDCC specifications exist for the Microsoft Windows XP and the Microsoft Windows Vista1 op-erating systems.

Achieving Federal Desktop Core Configuration Compliance with Lumension® Solutions What Is It The Federal Desktop Core Configuration (FDCC) is an Office of Management and Budget (OMB) mandat-

Tags:

  Federal, Configuration, Desktops, Compliance, Core, Achieving, Achieving federal desktop core configuration compliance

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Achieving Federal Desktop Core Configuration Compliance ...

1 May 2009 Achieving Federal Desktop core Configuration Compliance with Lumension SolutionsWP-EN- 05 -28 - 09 Achieving Federal Desktop core Configuration Compliance with Lumension Solutions What Is ItThe Federal Desktop core Configuration (FDCC) is an Office of Management and Budget (OMB) mandat-ed security Configuration set applicable within United States Federal Government agencies. Private en-terprises may also choose to utilize this established framework as a foundation for their own security Configuration baselines. These FDCC guidelines were developed at the United States National Insti-tute of Standards and Technology (NIST), based on collaborative work with the Department of Homeland Security (DHS), Defense Information Security Agen-cy (DISA), National Security Agency (NSA), United States Air Force (USAF) and FDCC specifications exist for the Microsoft Windows XP and the Microsoft Windows Vista1 op-erating systems.

2 The idea for FDCC was originally introduced in March 2007 in OMB Memorandum 07-11, Implementation of Commonly Accepted Se-curity Configurations for Windows Operating Sys-tems . The goal was to improve information secu-rity and reduce overall IT operating costs 2 for all general-purpose, managed desktops and laptops utilizing Vista or XP. Systems utilized intermittently on an agency s network or employed by govern-ment contractors are within FDCC s scope. Outside of the FDCC s coverage are embedded computers, specialized scientific systems, machines for pro-cess control as well as server the June 2007, OMB Memorandum 07-18, and later in 48 Code of Federal Regulations (CFR) Part 39, the application of the FDCC to government IT purchases was detailed: In acquiring information technology, agencies shall include the appropriate information technology security policies and re-quirements, including use of common security con-figurations available from the National Institute of Standards and Technology s Web 3 NIST maintains the FDCC Configuration checklists in addition to supplying FDCC reporting and com-pliance guidance.

3 These checklists are extensible markup language (XML) documents which utilize the Security Content Automation Protocol (SCAP) for-mat to express the individual FDCC requirements. SCAP incorporates six open security standards4 and defines how these standards are combined to enable automated vulnerability management, mea-surement, and policy Compliance .5 NIST also pro-vides SCAP test procedures, written in Open Vul-nerability Assessment Language (OVAL), for use in tandem with the SCAP checklists. OMB Memorandum, M-08-22, Guidance on the Fed-eral Desktop core Configuration (FDCC) highlights the pivotal role of SCAP in validation. M-08-22 dictates that validated tools with FDCC Scanner capability 6 be utilized to certify FDCC Compliance of IT products.

4 XP Professional with Ser vice Pack SP 2 or SP 3. Vista Business, Vista Enter-prise, and Vista Ultimate with SP .OMB Memorandum 07- : Implementation of Commonly Accepted Security Configurations for Windows Operating Systems 48 CFR Par t 39 revised Februar y 28, 2008 The six standards are: Common Vulnerabilities and E xposures (CVE ), Common Configuration Enumeration (CCE ), Common Platform Enumeration (CPE ), Com-mon Vulnerability Scoring System (CVSS), E xtensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL ) SCAP , NIST Secure Content Automation Protocol Version .0 Beta documentThe cer tification of a par ticular vendor s SCAP-based FDCC Scanner capability is per formed by independent laboratories accredited by the NIST.

5 Achieving Federal Desktop core Configuration Compliance with Lumension Solutions2 Who Has To ComplyAll Federal agencies that utilize or plan an upgrade to either Windows XP or Vista must report compli-ance. Exceptions to FDCC Configuration guidance may be approved by the specific department or agency accrediting authority. The OMB acquisition guidance extended the reach of FDCC to information system providers to ensure and certify that supplied systems operate effec-tively using the common security configurations. Application vendors, in particular, must ensure that their products do not alter the required security configurations. The government application provid-er must self-assert the versions of their software which are compatible with the FDCC requirements.

6 Each individual Federal CIO must ensure that this self-assertion is completed by the relevant applica-tion providers. Both private industry and government entities must utilize SCAP-validated tools with FDCC Scanner capabilities throughout their certification process. Federal Information Security Management Act (FISMA) guidance7 specifies the continued use of FDCC Scanners and FDCC Compliance attestation by agencies to comply with FISMA s ongoing moni-toring requirement. What Are the StandardsThe FDCC XML checklists detail security concerns identified by Common Vulnerability Enumeration (CVE), which may be resolved by patching, and those specified by Common Configuration Enu-meration (CCE), which may be resolved by con-figuration setting.

7 The FDCC specific Configuration requirements are generally based on the Principle of Least Privi-lege restricting user and machine rights. In addition to the operating system coverage, the FDCC Configuration standards extend to Windows Internet Explorer, Windows Firewall and Windows Defender. These specific applications, however, are not explicitly required. If these applications are not utilized, the guidance is that the FDCC settings be leveraged and equivalently extended to the al-ternative FDCC Configuration guidance may be grouped into several categories, each address-ing a different area of security. The following table highlights these high level categories and repre-sentative, though not complete, set of configura-tion items.

8 OMB Memorandum M-08-2 , F Y 2008 Repor ting Instructions for the Federal Information Security Management Act and Agency Privacy Management Federal Desktop core Configuration Compliance with Lumension Solutions3 Account, Logon, and User PolicyEvent, Audit and Log PolicyAccount Lockout Account lockout duration and threshold Password Minimum password age and length Password complexity Power Management Password prompt on resume from hibernate / suspendAccount Configurations Rename administrator and guest account User Account Control Behavior of the elevation prompt for administrators in Admin Approval ModeElevation of signed and validated executables User Rights AssignmentBackup files and directoriesSystem time and time zone changeTake ownership of files / objects Interactive LogonRequire CTRL+ALT+DELETER equire smart card System Logon Control Panel / DisplayScreen Saver password protect and timeout Audit PolicyDirectory service and

9 Object accessPrivilege useProcess tracking Audit Configurations Audit the access of global system objectsAudit the use of Backup and Restore privilegeForce audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsShut down system immediately if unable to log security audits Event LogMaximum application, security and system log sizeRetention method for application, security and system log Event Log Service\SystemMaximum Application, Setup and System Log Size (KB) Error Reporting Vista Audit Policy47 individual control settings Continued Achieving Federal Desktop core Configuration Compliance with Lumension Solutions4 Domain PolicySystem Services and ComponentsDomain controller Allow server operators to schedule tasksLDAP server signing requirementsDigitally encrypt / sign secure channel data Domain member Maximum machine account password ageRequire strong (Windows 2000 or later) session key Group PolicyInternet Explorer Maintenance policy processingRegistry policy processing Service control over the use and instantiation of ser-vices such as Background Intelligent Transfer Ser-vice (BITS)

10 , Messenger, Remote Access Connection Manager, Terminal Services, Wireless Zero Configu-ration and WLAN Information ServicesIIS installation Windows ComponentsHeap termination on corruption behaviorPrevent Automatic UpdatesPrevent Desktop Shortcut CreationTurn Off User Installed Windows Sidebar GadgetsNotify antivirus programs when opening attachments Component Updates Continued Achieving Federal Desktop core Configuration Compliance with Lumension Solutions Network SecurityInternet ExplorerIPv6 tunnelingDisable ISATAP, Teredo, and IPv6 to IPv4 tunneling protocols Microsoft network clientDigitally sign communications Microsoft network server Idle time before session suspensionDigitally sign communicationsDisconnect clients when logon hours expire Protocol BehaviorAutomatic detection of MTU size (possible DoS by an attacker using a small MTU)Computer visibility from the browse list SYN attack protection level (protects against DoS)SYN-ACK retransmissions when a connection request is not acknowledged Network accessAnonymous SID/Name translationCredential storage or.


Related search queries