Vulnerabilities Checklists Product Dictionary Impact Metrics Data Feeds Statistics
Home SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments
FDCC

NIST Resources
Other Resources


 

white space

white space

Federal Desktop Core Configuration
FDCC

 

FDCC Version 1.1.x.0 List of Changes

Microsoft Internet Explorer 7

  1. SCAPXML-83/90: Updated patch content and removed Vulnerabilities from patch content
  2. SCAPXML-94: Added the registry entry type to nearly all of the registry states.
    • CCE-1000/CCE-3216-9
    • CCE-1002/CCE-3619-4
    • CCE-1006/CCE-3207-8
    • CCE-1008/CCE-3584-0
    • CCE-1010/CCE-3615-2
    • CCE-1012/CCE-3564-2
    • CCE-1013/CCE-3927-1
    • CCE-1025/CCE-4026-1
    • CCE-1031/CCE-4013-9
    • CCE-1032/CCE-3866-1
    • CCE-1045/CCE-4160-8
    • CCE-1051/CCE-4237-4
    • CCE-1054/CCE-3875-2
    • CCE-1088/CCE-3902-4
    • CCE-1147/CCE-4546-8
    • CCE-119/CCE-3924-8
    • CCE-1211/CCE-3909-9
    • CCE-126/CCE-3751-5
    • CCE-128/CCE-3696-2
    • CCE-129/CCE-4031-1
    • CCE-132/CCE-3963-6
    • CCE-138/CCE-3891-9
    • CCE-140/CCE-4564-1
    • CCE-146/CCE-3929-7
    • CCE-16/CCE-4139-2
    • CCE-175/CCE-4053-5
    • CCE-176/CCE-3945-3
    • CCE-178/CCE-4196-2
    • CCE-200/CCE-4153-3
    • CCE-208/CCE-4119-4
    • CCE-212/CCE-3576-6
    • CCE-218/CCE-4652-4
    • CCE-237/CCE-4098-0
    • CCE-239/CCE-4028-7
    • CCE-245/CCE-4143-4
    • CCE-258/CCE-4036-0
    • CCE-26/CCE-4101-2
    • CCE-28/CCE-4040-2
    • CCE-280/CCE-4099-8
    • CCE-281/CCE-4643-3
    • CCE-286/CCE-4131-9
    • CCE-288/CCE-3989-1
    • CCE-292/CCE-4050-1
    • CCE-30/CCE-3264-9
    • CCE-308/CCE-4793-6
    • CCE-31/CCE-4087-3
    • CCE-320/CCE-3754-9
    • CCE-339/CCE-4066-7
    • CCE-347/CCE-4043-6
    • CCE-355/CCE-3906-5
    • CCE-359/CCE-3553-5
    • CCE-382/CCE-4047-7
    • CCE-409/CCE-4132-7
    • CCE-41/CCE-3337-3
    • CCE-42/CCE-4171-5
    • CCE-425/CCE-3914-9
    • CCE-439/CCE-3601-2
    • CCE-449/CCE-3941-2
    • CCE-47/CCE-3853-9
    • CCE-471/CCE-4147-5
    • CCE-473/CCE-4138-4
    • CCE-478/CCE-4246-5
    • CCE-49/CCE-4109-5
    • CCE-491/CCE-3888-5
    • CCE-495/CCE-3993-3
    • CCE-5/CCE-4017-0
    • CCE-51/CCE-4052-7
    • CCE-52/CCE-4057-6
    • CCE-520/CCE-3855-4
    • CCE-528/CCE-4259-8
    • CCE-552/CCE-4121-0
    • CCE-556/CCE-3706-9
    • CCE-563/CCE-4158-2
    • CCE-586/CCE-4068-3
    • CCE-591/CCE-3338-1
    • CCE-598/CCE-4192-1
    • CCE-622/CCE-4118-6
    • CCE-625/CCE-4226-7
    • CCE-636/CCE-3905-7
    • CCE-639/CCE-3590-7
    • CCE-66/CCE-4001-4
    • CCE-66/CCE-4001-4
    • CCE-660/CCE-4018-8
    • CCE-666/CCE-4232-5
    • CCE-668/CCE-4122-8
    • CCE-675/CCE-4845-4
    • CCE-678/CCE-3400-9
    • CCE-680/CCE-4084-0
    • CCE-684/CCE-3518-8
    • CCE-685/CCE-3998-2
    • CCE-689/CCE-4104-6
    • CCE-690/CCE-3976-8
    • CCE-693/CCE-3201-1
    • CCE-698/CCE-4215-0
    • CCE-708/CCE-3744-0
    • CCE-71/CCE-4056-8
    • CCE-721/CCE-3647-5
    • CCE-724/CCE-3570-9
    • CCE-753/CCE-3894-3
    • CCE-763/CCE-4079-0
    • CCE-769/CCE-3825-7
    • CCE-781/CCE-4692-0
    • CCE-827/CCE-4162-4
    • CCE-833/CCE-3933-9
    • CCE-841/CCE-4163-2
    • CCE-863/CCE-3378-7
    • CCE-876/CCE-4175-6
    • CCE-878/CCE-3984-2
    • CCE-882/CCE-4062-6
    • CCE-910/CCE-4161-6
    • CCE-914/CCE-3249-0
    • CCE-925/CCE-3996-6
    • CCE-938/CCE-4199-6
    • CCE-946/CCE-3204-5
    • CCE-963/CCE-3275-5
    • CCE-964/CCE-4174-9
    • CCE-970/CCE-4150-9
    • CCE-973/CCE-4202-8
    • CCE-985/CCE-4149-1
  3. SCAPXML-106: Changed “xmlns:cpe” attribute on the Benchmark element from “http://cpe.mitre.org/language/2.0” to “http://cpe.mitre.org/dictionary/2.0”.
  4. SCAPXML-107: Changed the “system” attribute on the model element from “urn:xcscoring:*” to “urn:xccdf:scoring:*”.
  5. SCAPXML-117: Added the type and operator to the value for Logon Options - Internet Zone - Local Computer and set them to “number” and “equals”, respectively.
    • CCE-720/ CCE-3623-6

Microsoft Windows Vista Firewall

  1. SCAPXML-104: The operator for “private_profile_name_var” changed from “equals” to “pattern match”.
    • CCE-999/ CCE-4206-9
  2. SCAPXML-106: Changed “xmlns:cpe” attribute on the Benchmark element from “http://cpe.mitre.org/language/2.0” to “http://cpe.mitre.org/dictionary/2.0”.

Microsoft Windows Vista

  1. Updated version attributes to reflect changes to checking methods.
  2. SCAPXML-23/76/85: Corrected GUEST account SID.
  3. SCAPXML-26: Allowed for non-existence of the GUEST and Administrator accounts.
  4. SCAPXML-72: Removed from the FDCC profile
    1. "Approved Installation Sites for ActiveX Controls"
      • CCE-836/ CCE-4579-9
    2. "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax"
      • CCE-458/ CCE-3371-2
    3. MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
      • CCE-139/ CCE-3067-6
  5. SCAPXML-81/82: Corrected var_ref element datatype attributes.
  6. SCAPXML-83/90: Updated patch content and removed Vulnerabilities from patch content
  7. SCAPXML-87/88: Replaced all instances of “AUDIT__SUCCESS_FAILURE” with “AUDIT_SUCCESS_FAILURE”
  8. SCAPXML-92/93: Changed the “value” child elements of the “Value” elements for “Set a time limit for disconnected sessions” and “Set a time limit for active but idle Terminal Services sessions” from seconds to nanoseconds.
  9. SCAPXML-100: Corrected the registry paths for objects “oval:gov.nist.fdcc.vista:obj:60511” and “oval:gov.nist.fdcc.vista:obj:60521”.
  10. SCAPXML-101: Corrected the comments and keys associated with checking the existence of the SpyNet key and SpyNetReporting value.
  11. SCAPXML-102: Added CCE v5 IDs for CCE-174 and CCE-1109.
  12. SCAPXML-104:
    1. Changed the “operator” attribute for all Audit related “Value” elements from “equals” to “pattern match”.
    2. Changed the “operator” attribute for the message text/title for users attempting to log on “Value” elements from “equals” to “pattern match”.
  13. SCAPXML-106: Changed “xmlns:cpe” attribute on the Benchmark element from “http://cpe.mitre.org/language/2.0” to “http://cpe.mitre.org/dictionary/2.0”.
  14. SCAPXML-110: Unnecessary line breaks removed.
  15. SCAPXML-113: Inconsistent datatypes between XCCDF and OVAL corrected for a number of settings.
  16. SCAPXML-115: Added a caveat to the descriptions stating that this can break IPSec. Also added a reference to the Microsoft Knowledge base article to the OVAL definition.
    • CCE-532/ CCE-4334-9
  17. SCAPXML-116: Added the “Accounts: Administrator account status “ requirement
    • CCE-499/CCE-3032-0
  18. SCAPXML-118: Removed the values for the drive type autorun rules and changed the corresponding OVAL definition, “oval:gov.nist.fdcc.vista:def:6574”, to require a value of “255” instead of using a variable value.
    • CCE-44/ CCE-2719-3

Microsoft Windows XP

  1. Updated version attributes to reflect changes in checking methods.
  2. Added criterion on some User Rights to ensure the allowed users are given the specified user right for the sake of consistency.
  3. SCAPXML-23/76/85: Corrected GUEST account SID.
  4. SCAPXML-26: Allowed for non-existence of the SUPPORT_388945a0 and GUEST accounts.
  5. SCAPXML-67: Corrected logic forI “nteractive logon: Smart Card removal behavior” setting to allow for it to being configured to “Force Logoff ”
  6. SCAPXML-69: Corrected logic for “Interactive logon: Require Domain Controller authentication to unlock workstation” setting to allow for it being configured to “Enabled.”
  7. SCAPXML-75: Removed the duplicate description on FDCC profile.
  8. SCAPXML-72: Removed from the FDCC profile:
    1. Prevent Local Guests Group From Accessing Application Log
      • CCE-299/CCE-2116-2
    2. Prevent Local Guests Group From Accessing Security Log
      • CCE-462/CCE-2794-6
    3. Prevent Local Guests Group From Accessing System Log
      • CCE-726/CCE-2345-7
    4. DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
      • CCE-458/ CCE-3010-6
    5. Interactive logon: Require smart card
      • CCE-828/ CCE-3186-4
    6. MSS: (Hidden) Hide Computer From the Browse List
      • CCE-139/CCE-2952-0
  9. SCAPXML-79: Audit Backup and Restore Privilege Disabled corrected
    • CCE-905/CCE-2955-3
  10. SCAPXML-80: oval:gov.nist.fdcc.xp:tst:311 Guests and SUPPORT_388945a0 are Deny Logon As Batch Job
  11. SCAPXML-81/82: Corrected var_ref element datatype attributes.
  12. SCAPXML-83/90: Updated patch content and removed Vulnerabilities from patch content
  13. SCAPXML-84: Corrected logic errors relating to tests oval:gov.nist.fdcc.xp:tst:67261 & oval:gov.nist.fdcc.xp:tst:67251.
  14. SCAPXML-86: Corrected logic error in the criteria for oval:gov.nist.fdcc.xp:def:6626 which may result in false negatives.
  15. SCAPXML-92/93: Changed the “value” child elements of the “Value” elements for “Set a time limit for disconnected sessions” and “Set a time limit for active but idle Terminal Services sessions” from seconds to nanoseconds.
  16. SCAPXML-96: Corrected permissions check for regini.exe by ensuring Administrators group has Full Control.
  17. SCAPXML-97: Description for mshta.exe permissions restriction entry corrected.
  18. SCAPXML-99: Corrected the comments on the criterion for “oval:gov.nist.fdcc.xp:def:1662”
  19. SCAPXML-103: Corrected missing and incorrect CCEs.
  20. SCAPXML-104: Changed the “operator” attribute for all Audit related “Value” elements from “equals” to “pattern match”.
    • CCE-315/(CCE-3867-0/CCE-3008-0)
    • CCE-596/(CCE-2906-6/CCE-2902-5)
    • CCE-10/(CCE-2933-0/CCE-2206-1)
    • CCE-429/(CCE-2100-6/CCE-2343-2)
    • CCE-812/(CCE-2259-0/CCE-2766-4)
    • CCE-966/(CCE-2971-0/CCE-2757-9)
    • CCE-874/(CCE-2913-2/CCE-2918-1)
    • CCE-8/(CCE-2816-7/CCE-2939-7)
    • CCE-149/(CCE-2878-7/CCE-2843-1)
  21. SCAPXML-105: Added a default “value” child element for the “BITSService_var” Value.
  22. SCAPXML-107: Changed the “system” attribute on the model element from “urn:xcscoring:*” to “urn:xccdf:scoring:*”.
  23. SCAPXML-109: Several inconsistent user rights checks corrected including Deny Access from Network, Deny Logon As Batch Job, Impersonate a Client after Authentication, Create Global Objects
  24. SCAPXML-113: Inconsistent datatypes between XCCDF and OVAL corrected for a number of settings.
    • CCE-905/CCE-2955-3
  25. SCAPXML-114: Corrected an inconsistency between state and variable for Audit the use of Backup and Restore privileges
    • CCE-905/CCE-2955-3
  26. SCAPXML-115: Added a caveat to the descriptions stating that this can break IPSec. Also added a reference to the Microsoft Knowledge base article to the OVAL definition.
    • CCE-532/ CCE-2379-6
  27. SCAPXML-116: Added the “Accounts: Administrator account status “ requirement
    • CCE-499/CCE-2943-9

Microsoft Windows XP Firewall

  1. Removed a number of unnecessary CR/LFs.
  2. SCAPXML-78: Removed “Define port exceptions” from FDCC profile.
    • CCE-370/ CCE-3258-1
  3. SCAPXML-106: Changed “xmlns:cpe” attribute on the Benchmark element from “http://cpe.mitre.org/language/2.0” to “http://cpe.mitre.org/dictionary/2.0”.
  4. SCAPXML-107: Changed the “system” attribute on the model element from “urn:xcscoring:*” to “urn:xccdf:scoring:*”.
  5. SCAPXML-108: Changed the “1” in the “comment” attribute on the criterion element for “oval:gov.nist.fdcc.xpfirewall:tst:51061” on definition “oval:gov.nist.fdcc.xpfirewall:def:5106”
    • CCE-797/CCE-3081-7
  6. SCAPXML-119: Inconsistent datatype between state and variable, changed “int” to “string”.
    • CCE-793/CCE- 2923-1

 

 

Comments and Questions

Comments and questions may be addressed to fdcc@nist.gov.

 

 

 

 

Last updated: November, 11, 2008
Page created: July 22, 2007
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to itsec@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration