Federal Desktop Core Configuration

From HandWiki

The Federal Desktop Core Configuration is a list of security settings recommended by the National Institute of Standards and Technology for general-purpose microcomputers that are connected directly to the network of a United States government agency.

The FDCC is a list of agreed upon Microsoft Windows operating system common core system functions, applications, files, and services that are changed in their configuration around which a framework for a more secure, and security-reliable MS Windows operating system was created. The standards were then made mandatory for every federal government computer effective 1 Feb 2008. If you wanted to connect to a federal office computer network your system had to meet or exceed the FDCC standard or you were denied access.

FDCC applied only to Windows XP and Vista desktop and laptop computers and was replaced by the United States Government Configuration Baseline (USGCB), which included settings for Windows 7 and Red Hat Enterprise Linux 5.

For Windows 7, the NIST changed the naming convention to the US Government Computer Baseline (USGCB ver 2.0). In addition to un-classifying a general Windows settings guide, the NIST also publishes guides specifically for Windows Firewall, Internet Explorer, and a guide (Vista-Energy, for example) created to capture settings that adhere to energy conservation policies.

History

On 20 March 2007, the Office of Management and Budget issued a memorandum instructing United States government agencies to develop plans for using the Microsoft Windows XP and Vista security configurations.[1][2] The United States Air Force common security configurations for Windows XP were proposed as an early model on which standards could be developed.[2]

The FDCC baseline was developed (and is maintained) by the National Institute of Standards and Technology in collaboration with OMB, DHS, DOI, DISA, NSA, United States Air Force and Microsoft,[2] with input from public comment.[3] It applies to Windows XP Professional and Vista systems only—these security policies are not tested (and according to the NIST, will not work) on Windows 9x/ME/NT/2000 or Windows Server 2003.[3]

Major Version 1.1 (released 31 October 2008) had no new or changed settings, but expanded SCAP reporting options.[3] As with all previous versions, the standard is applicable to general-purpose workstations and laptops for end users. Windows XP and Vista systems in use as servers are exempt from this standard. Also exempt are embedded computers and "special purpose" systems (defined as specialized scientific, medical, process control, and experimental systems), though NIST still recommends that FDCC security configuration be considered "where feasible and appropriate".[4]

The FDCC settings, generally speaking, block open connections in operating systems, disables functions, disables rarely used applications in the SOHO environment, disables unnecessary services, changes permissions on items, changes the way log files are collected and recorded, affects Group Policy Object (GPO) settings, and alters entries in the Windows system registry.

InfoWeek introduced the FDCC to mostly administrators and engineers with the article titled 'The Feds Don't Allow It. Should You?’ written by Kelly Jackson Higgins of DarkReading.com and published on 4 February 2008.

Due to the complexity of the guidelines response initially was slow. Implementation took time while the settings were internally researched by both government and enterprise implementation techs. The NIST and the NSA published guidelines in hundreds-of-page texts and introduced what they called SCAP files for applications. (See Wikipedia SCAP page)

The Windows platform was built for easy interoperability and networking and therefore left opportunities within the operating systems for all types of auto- and semi-automatic connections to other computers. These weren’t flaws or programming mistakes, it was purposefully built that way. An example of this can be found by looking at the Windows Remote Connection program which is enabled by default after a typical Windows operating system installation. The FDCC/USGCB configuration, for instance, reverses that setting so that you have to manually re-enable to allow remote connections.

Requirements

Organizations required to document FDCC compliance can do so by using SCAP tools.

There are 600+ settings in the average FDCC/USGCB document – but not all of them are usable for the average small or home office (SOHO) computer. For instance, released on 20 June 2008, FDCC Major Version 1.0 specifies 674 settings.[3] For example, "all wireless interfaces should be disabled".[5] In recognition that not all recommended settings will be practical for every system, exceptions (such as "authorized enterprise wireless networks") can be made if documented in an FDCC deviation report.[2][5]

Strict implementation of all of the recommended settings has been known to cause usability issues. The NIST publishes a list of known issues and it can be found here (https://usgcb.nist.gov/usgcb/microsoft_content.html). There are a few third-party software vendors that have emerged that claim to have tested settings in a SOHO environment however, at this time, the general public still remains relatively unaware of the FDCC and USGCB security settings developed and put forward by the NIST.

External links

References