- Is
FDCC applicable to special purpose (e.g., scientific, medical,
process control, and experimental systems) computers?
- Is
FDCC applicable to Windows XP and Vista computers used as servers?
- Does
the FDCC baseline apply only to desktop systems?
- Is
FDCC applicable to contractor computers?
- Does
the password policy apply only to local accounts?
- Is
FDCC applicable to domain accounts (versus local)?
- Does
the password policy apply to Windows XP and Vista only or is it
also applicable to all applications installed on the XP and Vista
systems?
- Must
my administrator account be renamed to "Renamed_Admin"?
- One
of the FDCC settings does not allow the installation of unsigned
device drivers. In order to be compliant, do we need to remove
unsigned device drivers that are already installed on a general
purpose computing devices?
- FDCC
settings prohibit wireless. Are there any conditions under which
wireless is allowed? Airport? Hotel? We have implemented wireless
within our enterprise. Do I really need to disable wireless? What
if I am using a third-party wireless client?
- Does
the system need to have IE7 installed to be FDCC compliant?
- How
does FDCC relate to FISMA compliance and SP 800-53?
- How
do I report compliance and deviations? To whom do I report that
information? Is there a specific reporting format?
- Where
can I find a centralized list of FDCC compliant applications?
- Are
there currently any SCAP-validated tools?
- Is
checking FDCC settings 100% automated through SCAP? Will manual
assessment methods be required?
- Will
scans based on SCAP checklists produce results with 100% of all
checks passing?
- Must
I use WinZip to reassemble the segmented VHD files? What if I
don't have WinZip?
- What
is documentation version 1.0.1? Were there any changes to the
FDCC settings in this documentation?
- What
versions and Service Pack levels of XP and Vista does FDCC apply
to?
- What
tools are used to edit the XML SCAP data and GPOs?
-
FDCC settings prohibit escalated privileges from being granted to
ordinary end-users. What is considered an escalated privilege?
-
Does the SCAP Content & GPOs for FDCC cover 100% of the FDCC settings?
If not what is missing and why?
- I
am responsible for implementing FDCC in my organization. I have
many questions and concerns. Who is the correct person for me
to call?
1.
Is FDCC applicable to special purpose (e.g., scientific, medical,
process control, and experimental systems) computers?
The
primary targets of FDCC are general-purpose systems such as managed
desktops and laptops. Embedded computers, process control systems,
specialized scientific or experimental systems, and similar systems
using Windows XP or Vista are out of scope for FDCC. Of course,
such systems still require appropriate protection and application
of sound risk management principles. In general, such systems should
still examine the FDCC security configuration for applicability
where feasible and appropriate.
2.
Is FDCC applicable to Windows XP and Vista computers used as servers?
No, Windows XP and Vista computers not categorized as desktops or
laptops are out of scope for FDCC.
3.
Does the FDCC baseline apply only to desktop systems?
FDCC
applies to both desktops and laptops that are deployed and connected
directly to the organization's network.
4.
Is FDCC applicable to contractor computers?
Yes, Windows XP and Vista computers that are owned or operated by
a contractor on behalf of or for the USG or are integrated into
a Federal system are subject to FDCC.
5.
Does the password policy apply only to local accounts?
No,
the password policy applies to both local and domain accounts.
6.
Is FDCC applicable to domain accounts (versus local)?
Yes,
FDCC is applicable to any domain configurations that manifest themselves
in local FDCC settings. For instance, password length managed at
the domain level manifests itself at each desktop and laptop. Therefore,
password length, whether managed via domain or locally, is subject
to FDCC.
7.
Does the password policy apply to Windows XP and Vista only or is
it also applicable to all applications installed on the XP and Vista
systems?
On
a Windows XP or Vista system, any system components, applications,
or utilities that use the XP or Vista authentication mechanism,
in particular the user's Windows authentication token, should comply
with the FDCC password policy. This will leave out third-party applications
such as Web applications and client applications that use a separate
security token for authentication.
For example, my Windows authentication token allows me to gain logical
access to my desktop, email account, calendaring software, etc.
It will comply with the FDCC password policy. I use a distinct authentication
token to run a Web application to connect to a travel management
system, an enterprise application, or a Federal employee benefits
or retirement system. In these cases, my authentication token will
comply with the policy instituted on the specific server and services
that I am trying to use.
8.
Must my administrator account be renamed to "Renamed_Admin"?
No,
alternate names are fine. In fact, we suggest you discard "Renamed_Admin"
and use something unique.
9.
One of the FDCC settings does not allow the installation of unsigned
device drivers. In order to be compliant, do we need to remove unsigned
device drivers that are already installed on a general purpose computing
devices?
Strictly
speaking, yes, you need to remove unsigned device drivers to be
compliant on general purpose computing devices. That said, it is
understood that certain unsigned device drivers may be critical
to business/mission IT. Any unsigned device drivers that are critical
to your operation must be annotated as business/mission critical
deviations.
10.
FDCC settings prohibit wireless. Are there any conditions under
which wireless is allowed? Airport? Hotel? We have implemented wireless
within our enterprise. Do I really need to disable wireless? What
if I am using a third-party wireless client?
The
FDCC wireless setting specifies that all wireless interfaces should
be disabled. The intention of the recommendation is not to prevent
or prohibit wireless use, but to reduce the exposure of wireless-equipped
devices accidentally connecting to insecure (e.g., unencrypted)
and unauthorized wireless access points and end-users purposefully
connecting to insecure and unauthorized wireless access points.
Wireless configuration for authorized enterprise wireless networks
should be documented and reflected in the organization's FDCC deviation
report.
Third-party wireless clients still utilize the wireless interface
of the Windows XP or Vista operating system. Therefore, they are
subject to the logic above.
11.
Does the system need to have IE7 installed to be FDCC compliant?
Internet
Explorer 7.0 is a built-in component of the Windows XP and Vista
operating systems. For this reason, it needs to be installed and
configured according to FDCC settings for all Windows XP and Vista
computers. Organizations may use other browsers and if they do,
they should use the inherent security features those browsers provide.
12.
How does FDCC relate to FISMA compliance and SP 800-53?
In
addition to the FDCC reporting associated with the February 2008
deadline, FDCC will be reported through the Configuration Management
controls of FISMA. As a compliance tool, SCAP-validated tools can
process the mapping contained with the SCAP data files provided
by NIST between FDCC settings and FISMA SP 800-53 security controls.
This mapping enables automated compliance reporting on select SP
800-53 security controls.
13.
How do I report compliance and deviations? To whom do I report that
information? Is there a specific reporting format?
OMB
policy recognizes that agencies may determine that settings in the
FDCC are not practical. In the March
20th memorandum to Chief Information Officers, OMB instructed
agencies to provide documentation to NIST of any deviations from
the FDCC and the rationale for doing so. Report FDCC compliance
through your organization's CIO hierarchy. An agency or department
CIO must report compliance for that organization. Compliance is
expressed in a roll-up numbers of compliant versus non-compliant
computers. For non-compliant computers, CIOs must provide a representative
sample of SCAP-based (XCCDF version 1.1.4) assessment reports. The
FDCC XML reporting format is located at http://nvd.nist.gov/scap/content/fdcc-reporting_20080127.zip.
Additional guidance will be forthcoming. This information should
be sent to OMB at fisma@omb.eop.gov
with a carbon copy to NIST at fdcc@nist.gov
by March 31, 2008. NIST will perform trend analysis on all Federal
data and present findings to OMB.
14.
Where can I find a centralized list of FDCC compliant applications?
IT
product vendors are actively testing their applications for compliance
with the FDCC baseline, and information on compliance will be made
available at the vendors' sites. Agencies are welcome to share FDCC
compliance testing information with the understanding that each
individual CIO is responsible for fulfilling the requirements in
OMB Memorandum M-07-18.
15.
Are there currently any SCAP-validated tools?
A list of SCAP validated tools is available at http://nvd.nist.gov/scapproducts.cfm
16.
Is checking FDCC settings 100% automated through SCAP? Will manual
assessment methods be required?
SCAP
automates the assessment process for nearly all of the FDCC settings.
NIST is actively working to extend the coverage of the automated
tests. However, manual methods will be needed to verify a very small
subset of the FDCC settings. Automated versus manual tests are annotated
in the FDCC settings documentation at http://nvd.nist.gov/fdcc/download_fdcc.cfm.
17.
Will scans based on SCAP checklists produce results with 100% of
all checks passing?
At
present, there are a number of discrepancies with the existing SCAP
content. NIST is actively working to improve the accuracy of the
tests as represented in the SCAP data stream, and the updated content
will be released in December. Please refer to the NIST FDCC download
page for the FDCC SCAP results.
18.
Must I use WinZip to reassemble the segmented VHD files? What if
I don't have WinZip?
To
enable more manageable download of the multi-gigabyte virtual images,
NIST elected to provide WinZip segmented files. To the best of our
knowledge, these files can only be re-assembled with WinZip. Agency/department
representatives who prefer a non-segmented virtual machine image
can write to fdcc@nist.gov with their affiliation and a shipping
address. Once affiliation is confirmed, a non-segmented virtual
machine image will be shipped on a DVD to your attention.
19.
What is documentation version 1.0.1? Were there any changes to the
FDCC settings in this documentation?
The
settings document version 1.0.1 contains two settings that were
in the version 1.0 virtual machine image and Group Policy Objects,
but were not annotated in the version 1.0 documentation. Those two
settings have been added. This does not represent a change to FDCC,
just an omission in the original settings document. Also, the version
1.0.1 documentation contains additional information such as the
description field and registry keys. For additional update information,
please refer to the change history tab included in the documentation.
20.
What versions and Service Pack levels of XP and Vista does FDCC
apply to?
It
is the intention for the FDCC to apply to Windows XP Professional
and Vista Enterprise, Business, and Ultimate with the most current
service pack or security patches.
21.
What tools are used to edit the XML SCAP data and GPOs?
XML
Notepad 2007 and gpedit.msc, respectively. Other open-source or
commercial XML editors can be used to edit the SCAP content.
22.
FDCC settings prohibit escalated privileges from being granted to
ordinary end-users. What is considered an escalated privilege?
Any privilege that is not a default user right in XP or Vista is
considered under the FDCC as an escalated privilege. The security inherent
in FDCC relies partly on the fact that typical users are only assigned
standard user rights. Assigning any additional rights to typical users or
user groups circumvents this layer of security by allowing users to run with
escalated privileges. Assigning "Administrative" or "Power User" roles are
two examples of escalating the privileges of the user.
23.
Does the SCAP Content & GPOs for FDCC cover 100% of the FDCC settings? If not what is missing and why?
No, there are a small number of settings that cannot be automated at this time. These settings are listed below:
Settings not checked by SCAP content:
- Vista Firewall
- IPv6 Block of Protocols 41
- IPv6 Block of UDP 3544
- Windows XP
- Network access: Allow anonymous SID-Name translation
- Windows Vista
- Network access: Allow anonymous SID-Name translation
Settings not implemented through Group Policy Objects:
- Vista
- Configure Microsoft Spynet Reporting
- Disable ISATAP, Teredo, and 6to4 tunneling protocols
- All 47 Vista audit policy settings (contained in "FDCC Other Settings\Audit Policy Group")
24.
I am responsible for implementing FDCC in my organization. I have
many questions and concerns. Who is the correct person for me to
call?
Please
review the FDCC FAQs and send your inquiries to fdcc@nist.gov.
Please
send comments if your questions
were not answered here.
Top
of Page
|