This frequently asked questions (FAQ)
document addresses subjects associated with the March 2007 OMB-mandated
Federal Desktop Core Configuration (FDCC). Topics include the FDCC,
laboratory testing of the FDCC, agency testing of the FDCC, use
of the SCAP to evaluate computers for FDCC compliance, deploying
the FDCC, and reporting deviations to the FDCC. This FAQ should
be considered an addition to the Managing Security Risks Using
Common Configurations FAQ.
Federal
Desktop Core Configuration
1.
|
What
is the Federal Desktop Core Configuration (FDCC)?
|
|
The Federal Desktop Core Configuration (FDCC) is an OMB-mandated
security configuration. The FDCC currently exists for Microsoft
Windows Vista and XP operating system software. While not
addressed specifically as the "Federal Desktop Core Configuration,"
the FDCC was originally called for in a 22 March 2007 memorandum
from OMB to all Federal agencies and department heads and
a corresponding memorandum from OMB to all Federal agency
and department Chief Information Officers (CIO).
|
2.
|
What
operating systems have FDCC settings?
|
|
Currently, FDCC settings exist for Microsoft Windows XP Professional
(Service Pack 2) and Microsoft Windows Vista Enterprise.
|
3.
|
Where
can I obtain security configuration information for operating
systems other than Windows XP and Windows Vista?
|
|
In general, NIST suggests that Federal agencies use the NIST
Special Publication (SP) guide if one exists for a specific
operating system version. If such a guide is not available,
Federal agencies should browse the NIST Checklists repository
(checklists.nist.gov) to select a government-developed guide
(such as from Defense Information Systems Agency or National
Security Agency) or a vendor's guide that could be used as
a baseline. When such security configuration guides do not
exist, Federal agencies may select guides from other trusted
third parties. Regardless which guide is selected, Federal
agencies should document how their deployed information technology
products are secured or deviate from the recommended checklists.
|
4.
|
How
was the FDCC created?
|
|
The Windows Vista FDCC is based on DoD customization of the
Microsoft Security Guides for both Windows Vista and Internet
Explorer 7.0. Microsoft's Vista Security Guide was produced
through a collaborative effort with DISA, NSA, and NIST. The
guide reflects the consensus recommended settings from DISA,
NSA, and NIST for the Windows Vista platform.
The Windows XP FDCC is based on Air Force customization of
the Specialized Security-Limited Functionality (SSLF) recommendations
in NIST SP 800-68 and DoD customization of the recommendations
in Microsoft's Security Guide for Internet Explorer 7.0.
|
5.
|
Is
NIST endorsing or mandating the use of the Windows XP or Windows
Vista operating systems or requiring each setting
be applied as stated?
|
|
No. NIST does not endorse the use of any particular product
or system. NIST is not mandating the use of the Windows XP
or Vista operating systems,
nor is NIST establishing conditions or prerequisites for Federal
agency procurement or deployment of any system. NIST is not
precluding any Federal agency from procuring or deploying
other computer hardware or software for which NIST has not
developed a publication, security configuration checklist,
or virtual testing environment.
|
6.
|
Is
NIST working exclusively with Microsoft on baseline security
settings?
|
|
No. NIST is currently working with a number of IT vendors
on standardizing security settings for a wide variety of IT
products and environments. NIST does this through the NIST
Security Configuration Checklists Program for IT Products.
The NIST process for creating, vetting, and making security
checklists available for public use is documented in NIST
SP 800-70 - Security Configuration Checklists Program for
IT Products: Guidance for Checklists Users and Developers.
If IT vendors would like to standardize additional security
settings with NIST, please contact checklists@nist.gov.
|
FDCC
Laboratory Testing
1.
|
What
was the objective of the recent NIST test effort?
|
|
In support of OMB and Federal organizations, NIST with support
from NSA, DISA, Microsoft, and third-party tool vendors has
performed extensive laboratory testing to verify adherence
of Virtual Hard Disk (VHD) files to the written FDCC policy.
|
2.
|
What
version of Microsoft Internet Explorer was tested?
|
|
Internet Explorer 7.0 was tested.
|
3.
|
What
if I use a browser other than Internet Explorer 7.0?
|
|
While settings for other browsers were not tested, Federal
organizations are free to use other Web browser software instead
of or in addition to Internet Explorer 7.0. If agencies are
using Internet Explorer, NIST recommends that they use Internet
Explorer 7.0.
|
4.
|
Were
any Microsoft Office security configurations of the FDCC tested?
|
|
Microsoft Office is not installed on the VHDs
nor are Microsoft Office settings
included in GPOs. The Microsoft Office security recommendations
are represented in the FDCC documentation. They are provided
for public comment before laboratory testing. Microsoft Office
settings will undergo review and testing after publication
of the Microsoft Office 2007 Security Guide.
|
5.
|
To
comply with the FDCC, are Federal organizations required to
use the Microsoft Windows Firewall?
|
|
No. The FDCC baseline recommends the use of a personal firewall
and includes the Microsoft Windows Firewall settings, because
it is enabled with the operating system installation. However,
Federal organizations are free to use other desktop firewall
software instead of the Microsoft Windows Firewall.
|
6.
|
Is Microsoft Defender and/or other malware
scanning software included in the FDCC settings?
|
|
Yes. Microsoft Defender is installed on FDCC VHDs;
however, there is currently no configuration guidance for
this product other than the default settings provided by Microsoft.
As is the case with the Microsoft Windows Firewall, NIST recommends
the use of malware scanning utilities, but does not recommend any
particular vendor's product.
|
FDCC Agency Testing
1.
|
What
are Virtual PCs (VPC), and what is the difference between
a VPC and a Virtual Hard Disk (VHD)?
|
|
Virtual PC (VPC) is a Microsoft product that allows users
to run a virtual instance of an operating system (aka Virtual
Hard Disk) within an already running instance of an operating
system (aka non-virtual OS). The Virtual Hard Disk (VHD) can
utilize the hardware of the computer (e.g., hard drive, Ethernet
card, USB ports) in the same way the non-virtual OS does.
From the non-virtual OS, the VHD appears as a single, large
*.vhd file.
|
2.
|
Why
are VHDs beneficial?
|
|
VHDs are very useful for both laboratory
and deployment testing. While software can be installed on
a VHD in the same way software is installed on normal operating
systems, VHDs can be discarded and reimplemented
very quickly for the purposes of ensuring a pristine testing
environment or if something malfunctioned with the previous
VHD. Additionally, multiple VHDs
can be run over a single physical platform to achieve cost
savings.
|
3.
|
When
will VHDs expire, and how often
will they be updated?
|
|
According to Microsoft licensing, VHD licenses expire after
120 days. FDCC test VHDs will be
published quarterly and can be found at:
http://nvd.nist.gov/fdcc/download_fdcc.cfm
|
4.
|
What
can be downloaded from the FDCC technical site?
|
|
The FDCC technical Web site contains Windows Vista and Windows
XP FDCC policy documentation, VHD files, Group Policy Object
(GPO) files, and SCAP content files.
|
5.
|
Can
I use the VHDs, GPOs,
.inf, and SCAP content in an operational
environment?
|
|
It is recommended that VHDs, GPOs, .inf, and SCAP content
be used in a test and evaluation environment. After careful
testing, an organization may decide to use the GPO, .inf,
and/or SCAP content in the production environment. VHDs
are provided for laboratory testing purposes only and are
not to be used as a deployment image.
|
6.
|
What
are the accounts and passwords that I can use to log on to
the FDCC test VPCs?
|
|
Windows Vista - FDCC_Admin
and P@ssw0rd123456
Windows XP - Renamed_Admin and P@ssw0rd123456
|
7.
|
How
do I use the VHDs?
|
|
NIST suggests you first make a backup copy of the downloaded
VHD files. Then install the Virtual PC software as obtained
from Microsoft (http://www.microsoft.com/windows/downloads/virtualpc/default.mspx).
Next, run the New Virtual Machine wizard to create a new VPC
that will use the downloaded VHD file.
|
8.
|
What
should I consider before I run the VHDs?
|
|
NIST recommends that you install and configure antivirus
software and set the VPC networking setting to "Local
only" or "Not Connected."
|
9.
|
Who
produces the VHDs?
|
|
At the request of OMB, Microsoft produces the VHDs
with input from many departments and agencies including DHS,
DISA, OMB, NIST, NSA, and USAF.
|
Security
Content Automation Protocol
1.
|
What
is SCAP?
|
|
NIST recently established a suite of interoperable and automatable
security standards known as the Security Content Automation
Protocol (SCAP). By virtue of using XML-based standards, SCAP
is simultaneously machine and human readable. Specifically,
the National Vulnerability Database is being expanded to host
SCAP reference data. More information about SCAP may be found
at http://nvd.nist.gov/scap.cfm.
|
2.
|
How
are the SCAP and SCAP-capable tools relevant to FDCC?
|
|
As part of the iterative VHD image integrity testing process,
engineers ensured that both VHDs
and SCAP data streams were accurately calibrated to represent
and test compliance with the FDCC recommendations. Multiple
SCAP-capable tools were able to use the same SCAP data stream
to validate that the FDCC settings were properly applied to
the VHD. The same SCAP data stream that was used for testing
compliance to the FDCC in the NIST lab can also be used to
determine if newly created images are FDCC compliant.
|
3.
|
What
settings cannot be verified with the current SCAP tools?
|
|
There are a small number of FDCC settings which cannot be
verified using SCAP at this time. These settings have been
documented in this SCAP documentation.
|
5.
|
What
is SCAP Compliance?
|
|
To enable the goals set forth in OMB Memorandum M-07-18,
it is necessary to have security configuration scanning tools
that can use official SCAP content. In response, NIST is establishing
the SCAP Compliance effort. Implemented through the NIST National
Voluntary Laboratory Accreditation Program (NVLAP), independent
laboratories can be accredited to perform the testing necessary
to validate that security tools can accurately parse the SCAP
content required for their specific functionality. Additional
details on SCAP compliance are available at http://nvd.nist.gov/validation.cfm.
|
6.
|
How
do I know if a Tool is SCAP Compliant?
|
|
Tools that have achieved NIST SCAP Compliance will be listed
at http://nvd.nist.gov/scapproducts.cfm.
Since the SCAP compliance effort is in the process of being
established, NIST is allowing vendors to temporarily self-assert
their compliance and listing them on this page. Tools are
referenced by their type (configuration scanner, vulnerability
scanner, etc…), as well as by the vendor, tool name, and specific
SCAP components in which the tool has achieved compliance.
|
7.
|
How can agencies perform acceptance testing of FDCC compliant software ?
|
|
A recent OMB Memorandum provides guidance regarding agency
acceptance testing of FDCC compliant software. The link will
be posted soon.
|
8.
|
How can agencies ensure that their systems maintain the FDCC settings
throughout the systems life cycle?
|
|
Through the use of SCAP compliant tools and official FDCC
SCAP content, agencies can routinely monitor their systems
to ensure that the FDCC settings have not been altered as
the result of patching, installation of new software, or human
interaction. The tools compare the deployed configuration
against the official SCAP FDCC content and report on any discrepancies
so that corrective action can be taken (some tools also have
an automatic remediation capability). As with FDCC software
acceptance testing, only SCAP compliant configuration scanning
tools that are asserted by the vendor as “FDCC Scanning Capable”
on the SCAP tools webpage (http://nvd.nist.gov/scapproducts.cfm)
can fully process SCAP FDCC content.
|
9.
|
How can agencies use SCAP FDCC content to automate FISMA compliance
of technical controls?
|
|
SCAP tools, which agencies use to continuously monitor FDCC
settings, can output FISMA technical control compliance evidence.
The FDCC SCAP content has FISMA compliance mappings embedded
in it so that SCAP-compatible tools can automatically generate
NIST Special Publication (SP) 800-53 assessment and compliance
evidence. Each low level security configuration check is mapped
to the appropriate high level NIST SP 800-53 security controls.
As draft NIST SP 800-53A progresses towards final publication,
there will be a direct linkage, where appropriate, of the
assessment procedures found in NIST SP 800-53A to the SCAP
automated testing of information system mechanisms and associated
security configuration settings. In addition, the FDCC SCAP
content also contains mappings to other high level policies
(e.g., ISO, DOD 8500, FISCAM) and
SCAP tools may also output those compliance mappings. There
exists additional SCAP content that can also be used by agencies
to automate FISMA technical control compliance. This SCAP
content is available at http://nvd.nist.gov/ncp.cfm?scap.
|
10.
|
How can agencies report their compliance to the FDCC?
|
|
(Until SCAP compliant tools become available, agencies must
self-assert that their systems are FDCC compliant see OMB Memorandum
M-07-18 for additional information). As an integral part
of the continuous monitoring of systems configured to FDCC,
agencies can report their testing results to NIST. To ensure
both the accuracy and consistency of these results, agencies
can use the standardized SCAP XML reporting format. Use of
this format will enable NIST to efficiently collect and organize
the results for analysis and trending over time. NIST will
aggregate the results from all agencies, and will not generally
provide direct feedback to each individual agency concerning
their results. NIST is in the process of implementing a SCAP
compliance effort that will test security tools for their
ability to output results in the standardized SCAP XML format.
Additional reporting details will be forthcoming.
|
FDCC
Deployment
1.
|
What
are some settings that will impact system functionality that
I should test before I deploy the OMB mandated FDCC baseline
in an operational environment?
|
|
There are a number of settings that will impact system functionality
and agencies should test thoroughly before they are deployed
in an operational environment.
- Running the system
as a standard user - some applications may not work properly
because they require administrative access to the operating
system and application directories and registry keys.
- Minimum 12 characters
password and change every 60 days - this may impact system
usability and interoperability with some enterprise single
sign-on password management systems.
- Wireless service
- the wireless service is disabled and this will prevent
the use of Wi-Fi network interfaces that depend on the built-in
wireless service.
- FIPS 140-2 setting
- impacts browser interoperability with Web sites that do
not support the FIPS 140-2 approved algorithms. This can
usually be corrected by changing the Web server configuration
to support FIPS 140-2 approved algorithms. Refer to the
following knowledge base article.
http://support.microsoft.com/kb/811833
- Unsigned drivers
installation behavior - drivers that are not digitally signed
by Microsoft cannot be installed under Windows XP.
- Windows Firewall
- the built-in firewall may prevent other applications from
communicating with some applications.
- Additional settings
- refer to the following knowledge base article for additional
settings that may impact system interoperability with legacy
systems.
http://support.microsoft.com/kb/885409
|
2.
|
What
is the envisioned deployment method for FDCC?
|
|
While smaller organizations may implement local configuration
through batch and *.inf files, the
recommended method is to implement the majority of FDCC security
settings using group policies as managed with Microsoft Group
Policy Objects (GPO). Approximately 98% of all FDCC settings
may be implemented through GPOs.
The remaining security settings must be implemented locally
through *.inf, batch, or manual methods.
|
3.
|
How
do I apply Microsoft GPOs to one
of several different operating systems I manage through the
Group Policy Management Console (GPMC)?
|
|
As viewed through the Microsoft Group Policy Management Console
(GPMC), applying GPOs to specific
Windows operating systems can be accomplished using a Windows
Management Instrumentation (WMI) filter (WMI filtering is
only recognized on Windows Vista, Windows XP, and Windows
Server 2003). More specifically, create a WMI filter that
selects applicable operating systems, and link that filter
to the GPO applicable for those operating systems. If computers
with Windows 2000 or previous Windows operating systems are
present within the enterprise, these computers must be granted
exception from the group policy using the Deny Read and Deny
Apply Group Policy settings. The following two sources provide
additional detail:
|
4.
|
Does
the FDCC baseline include specific USG digital
certificates?
|
|
The FDCC baseline includes root and intermediate
CA certificates for the DoD and civilian agencies in the trusted
stores for both the Windows XP and Vista VHDs.
|
5.
|
Can standard user share file using the Microsoft file or peer-to-peer
sharing protocols?
|
|
The FDCC baseline disables the Microsoft file and printer
sharing feature and the Microsoft Peer-to-Peer networking
services. The Windows firewall is also configured to prevent
local file sharing. If a third-party firewall is used, it
is recommended that it prevents the system from sharing files
on the local system.
|
6.
|
Does the FDCC baseline include power management specific settings?
|
|
The FDCC baseline does not make any specific recommendation
about the power management settings. By default, the Windows
Vista utilizes the balanced power settings that will put the
system to sleep in 1 hour on AC power and 15 minutes on battery
power. It turns off the hard disks 20 minutes on AC power
and 10 minutes on battery power. It turns off the display
in 20 minutes on AC power and 5 minutes on battery power.
|
Comments and questions may be addressed to fdcc@nist.gov
|