FDCC Implementation Efforts at Idaho National Laboratory
Justin Hansen
NLIT 2009
Overview
• What is FDCC and where did it come from?
• Review process for the FDCC policy settings
• Specific implementation steps
• Dealing with some of the “Gotchas”
• Ongoing work
• Other information resources
INL’s IT By The Numbers
• 12,000 IT Devices owned by INL
• 9,000 Devices on the Network
• 5,500 Desktop & Laptop Computers
• OS’s (~85% Windows, 9% Mac’s, 6% Linux)
• Dell Shop (95% Windows Based Computers are Dells)• Office Desktops – Dell Optiplex
• Laptops – Dell Latitudes
• Engineering Workstations – Dell Precisions
What Is FDCC And Where Did It Come From?
• FDCC: Federal Desktop Core Configuration
• Office of Management and Budget (OMB) March, 2007
• Windows XP FDCC was based on Air Force customizations to the settings of NIST 800-68 checklist
– Used the “Specialized Security Limited Functionality” settings (SSLF)
• Windows Vista and IE 7 FDCC was based on DoD customizations of the Microsoft Security Guides
• Recommendations have been developed for Windows Vista, Windows XP and Internet Explorer
NIST Provided Resources For FDCC
• Ready made Group Policy Objects
• Microsoft Virtual PC “VHDs” for testing
• Security Templates for Microsoft Security Configuration and Analysis Tool
• Security Content Automation Protocol (SCAP) definition and content
• NIST Windows Security Baseline Database• Set_FDCC_LGPO.exe (Microsoft – http://blogs.technet.com/fdcc)
INL Review Process
• Compared currently implemented Minimum Security Configurations to FDCC
• Categorized FDCC “Gap” settings by impact and risk
• Evaluated required enterprise changes for “medium” and “high” impact settings– Example: “Digitally sign communications (always)”
• Focused on “high” risk and “low” impact settings
• Spreadsheet developed to help evaluate these factors
Sample Evaluation Spreadsheet
Implementation Specifics
• Settings were deployed using domain Group Policies
• Initial FDCC Group Policy was equivalent to existing security settings
• Incorporated settings with “low” impact first
• Testing and phased rollouts of “medium” impact settings
• Continually working on making necessary changes to accommodate “high” impact and “high” risk settings
• Implemented by small team over a 3 month period
Dealing With Some Of The “Gotchas”
• Least User Privileges / Access (LUA)– INL had implemented LUA principles previous to FDCC
– BeyondTrust Privilege Manager
• Upgraded to latest version
• Renewed focus on generating new rules
• Exceptions and Deviations– Example: Need for Local Printer Shares
– Group Policy application by groups in addition to OU
• Internally developed program to control Group Policy application
Active Directory Interface
History Log
Ongoing Work
• Continue to evaluate / test / implement “Gap” settings
• Incorporation of SCAP scanning tools into existing vulnerability scans
• Refine and enhance process for exceptions and variances
• Revisit previous exceptions and develop appropriate single variance policies
• Reduce / Eliminate the number of “exempted” systems
• Extend the FDCC strategy to Non-Windows systems and Servers