This frequently asked questions (FAQ) document
addresses subjects associated with the March 2007 OMB-mandated
Federal Desktop Core Configuration (FDCC). Topics include the FDCC,
laboratory testing of the FDCC, agency testing of the FDCC, use of
the Security Content Automation Protocol (SCAP) to evaluate computers for FDCC compliance, deploying the
FDCC, and reporting deviations to the FDCC.
-
What is the Federal Desktop Core
Configuration (FDCC)?
-
What operating systems have FDCC
settings?
-
Where can I obtain security
configuration information for operating systems other than
Windows XP and Windows Vista?
-
How was the FDCC created?
-
Is NIST endorsing or mandating
the use of the Windows XP or Windows Vista operating systems or
requiring each setting be applied as stated?
-
Is NIST working exclusively with
Microsoft on security settings?
-
Is OMB mandating that each
setting be applied as stated in the spreadsheet and Security
Content Automation Protocol (SCAP)
content? What if we want to implement stronger settings?
-
Is FDCC applicable to special
purpose (e.g., scientific, medical, process control, and
experimental systems) computers?
-
Is FDCC applicable to Windows XP
and Vista computers used as servers?
-
Does the FDCC Security Content
Automation Protocol (SCAP) apply
only to desktop systems?
-
Is FDCC applicable to contractor
computers?
-
How does FDCC relate to FISMA
compliance and SP 800-53?
-
How do I report compliance and
deviations? To whom do I report that information? Is there a
specific reporting format?
-
Where can I find a centralized
list of FDCC compliant applications?
-
What versions and Service Pack
levels of XP and Vista does FDCC apply to?
-
What tools are used to edit the
XML Security Content Automation Protocol (SCAP) data and GPOs?
-
How are vendors required to
prove FDCC compliance?
-
How often does NIST publish
updates to the online resources?
-
What version of Microsoft
Internet Explorer was tested?
-
What if I use a browser other
than Internet Explorer 7.0?
-
Were any Microsoft Office
security configurations of the FDCC tested?
-
To comply with the FDCC, are
Federal organizations required to use the Microsoft Windows
Firewall?
-
Is Microsoft Defender and/or
other malware scanning software included in the FDCC settings?
-
What are Virtual PCs (VPC), and
what is the difference between a VPC and a Virtual Hard Disk
(VHD)? DEPRECATED
-
Why are VHDs beneficial? DEPRECATED
-
When will VHDs expire, and how
often will they be updated? DEPRECATED
-
What can be downloaded from the
FDCC technical site? DEPRECATED
-
Must I use WinZip to reassemble
the segmented VHD files? What if I don't have WinZip? DEPRECATED
-
I am unable to decompress the
VHD file. DEPRECATED
-
Can I use the VHDs, GPOs, .inf,
and Security Content Automation Protocol (SCAP) content in an operational environment? DEPRECATED
-
What are the accounts and
passwords that I can use to log on to the FDCC test VPCs? DEPRECATED
-
How do I use the VHDs? DEPRECATED
-
What should I consider before I
run the VHDs? DEPRECATED
-
Who produces the VHDs? DEPRECATED
-
Does the Security Content
Automation Protocol (SCAP) Content & GPOs for
FDCC cover 100% of the FDCC settings? If not what is missing and
why
-
Some settings listed in the
spreadsheet do not appear in the group policy editor.
-
When I try to view and edit the
group policies on a computer running Windows XP or Windows
Server 2003 I receive an error message.
-
I have also encountered errors
when using the Group Policy Results feature on a computer
running Windows Vista with Service Pack 1.
-
What are the differences between
“Not Applicable,” “Not Defined,” and “Not Configured” in the
settings spreadsheet?
-
I am responsible for
implementing FDCC in my organization. I have many questions and
concerns. Who is the correct person for me to call?
-
I just downloaded and extracted the Virtual PC files but I only
see a virtual hard drive (.VHD) file, no virtual machine (.VMC). DEPRECATED
-
I have tried several scanners, none seem to be able to
accurately detect user-specific settings.
-
Why do the Windows
XP checks for several user rights fail after I delete the
SUPPORT_388945a0 account?
-
I scanned a NIST
provided VHD with an SCAP Validated FDCC Scanner, but several patches were missing. What does this mean?
-
What is the Security Content
Automation Protocol (SCAP)?
-
How are the Security Content
Automation Protocol (SCAP) and
SCAP-validated with FDCC Scanner Capability tools relevant to FDCC?
-
What settings cannot be verified
with the current Security Content Automation Protocol (SCAP) tools?
-
Where can I obtain FDCC Security
Content Automation Protocol (SCAP)
content?
-
What is Security Content
Automation Protocol (SCAP) Compliance?
-
How do I know if a Tool is
Security Content Automation Protocol (SCAP)-validated?
-
How can agencies perform
acceptance testing of FDCC compliant software?
-
How can agencies ensure that
their systems maintain the FDCC settings throughout the systems
life cycle?
-
How can agencies use Security
Content Automation Protocol (SCAP) FDCC
content to automate FISMA compliance of technical controls?
-
How can agencies report their
compliance to the FDCC?
-
Are there currently any
Security Content Automation Protocol (SCAP)-validated tools?
-
Is checking FDCC settings 100%
automated through Security Content Automation Protocol (SCAP)? Will manual assessment methods be
required?
-
Will scans based on Security
Content Automation Protocol (SCAP)
checklists produce results with 100% of all checks passing?
-
Does the FDCC SCAP content utilize WMI? Can the use of WMI cause
issues?
-
What are some settings that will
impact system functionality that I should test before I deploy
the OMB mandated FDCC Security Content Automation Protocol
(SCAP) in an operational environment?
-
What is the envisioned
deployment method for FDCC?
-
How should I deploy the FDCC
settings? With the VHDs or the GPOs?
-
My agency does not use Active
Directory yet we have many computers to manage. How can we most
easily implement the FDCC settings on stand-alone systems?
-
How do I apply Microsoft GPOs to
one of several different operating systems I manage through the
Group Policy Management Console (GPMC)?
-
Does the FDCC Security Content
Automation Protocol (SCAP) include
specific USG digital certificates?
-
Can standard user share file
using the Microsoft file or peer-to-peer sharing protocols? Does
the FDCC Security Content Automation Protocol (SCAP) include power management specific settings?
-
Does the FDCC Security Content
Automation Protocol (SCAP) include
power management specific settings?
-
Does the password policy apply
only to local accounts?
-
Is FDCC applicable to domain
accounts (versus local)?
-
Does the password policy apply
to Windows XP and Vista only or is it also applicable to all
applications installed on the XP and Vista systems?
-
Must my administrator account be
renamed to "Renamed_Admin"?
-
One of the FDCC settings does
not allow the installation of unsigned device drivers. In order
to be compliant, do we need to remove unsigned device drivers
that are already installed on a general purpose computing
devices?
-
FDCC settings prohibit wireless.
Are there any conditions under which wireless is allowed?
Airport? Hotel? We have implemented wireless within our
enterprise. Do I really need to disable wireless? What if I am
using a third-party wireless client?
-
Does the system need to have IE7
installed to be FDCC compliant?
-
FDCC settings prohibit escalated
privileges from being granted to ordinary end-users. What is
considered an escalated privilege?
-
Why do the FDCC settings
restrict the use of some IPv6 technologies?
Federal Desktop
Core Configuration
-
What is the Federal Desktop Core
Configuration (FDCC)? The Federal Desktop Core Configuration
(FDCC) is an OMB-mandated security configuration. The FDCC currently
exists for Microsoft Windows Vista and XP operating system software.
While not addressed specifically as the "Federal Desktop Core
Configuration," the FDCC was originally called for in a 22 March
2007 memorandum from OMB to all Federal agencies and department
heads and a corresponding memorandum from OMB to all Federal agency
and department Chief Information Officers (CIO).
-
What operating systems have FDCC
settings? Currently, FDCC settings are intended for Microsoft
Windows XP Professional with Service Pack (SP) 2 or SP 3 and Microsoft Windows Vista Business,
Microsoft Windows Vista Enterprise, and Microsoft Windows Vista Ultimate with SP 1.
-
Where can I obtain security
configuration information for operating systems other than Windows
XP and Windows Vista? From
the NIST 800-70 revision 2 at
http://csrc.nist.gov/publications/PubsSPs.html#800-70
executive summary page 3 (ES-3), “users from Federal civilian
agencies should first search for NIST-produced checklists, which
are tailored for civilian agency use. If no NIST-produced
checklist is available, then agency-produced checklists from the
Defense Information Systems Agency (DISA) or the National
Security Agency (NSA) should be used if available or
vendor-produced checklists should be used. If these checklists
are not available, then checklists from other trusted third
parties may be used. Certain checklists on the NCP are mandated
for use by federal agencies by the OMB. These include the OMB
FDCC checklists for Windows Vista, Windows XP, Internet Explorer
7, Windows XP Firewall, and Windows Vista Firewall.”
-
How was the FDCC created?
The Windows Vista FDCC is based on DoD
customization of the Microsoft Security Guides for both Windows
Vista and Internet Explorer 7.0. Microsoft's Vista Security Guide
was produced through a collaborative effort with DISA, NSA, and
NIST. The guide reflects the consensus recommended settings from
DISA, NSA, and NIST for the Windows Vista platform.
The Windows XP FDCC is based on Air Force customization of the
Specialized Security-Limited Functionality (SSLF) recommendations in
NIST SP 800-68 and DoD customization of the recommendations in
Microsoft's Security Guide for Internet Explorer 7.0.
-
Is NIST endorsing or mandating the use
of the Windows XP or Windows Vista operating systems or requiring
each setting be applied as stated?
No. NIST does not endorse the use of any
particular product or system. NIST is not mandating the use of the
Windows XP or Vista operating systems, nor is NIST establishing
conditions or prerequisites for Federal agency procurement or
deployment of any system. NIST is not precluding any Federal agency
from procuring or deploying other computer hardware or software for
which NIST has not developed a publication, security configuration
checklist, or virtual testing environment. Although the FDCC
currently applies to Windows XP and Vista, security guidance is
available for other platforms. The OMB and GSA updated the
Federal Acquisition Regulation (FAR) on
February 28, 2008, Part 39 now reads as follows:
(d) In acquiring information technology, agencies shall include
the appropriate IT security policies and requirements, including use
of common security configurations available from the NIST's website
at http://checklists.nist.gov. Agency contracting officers
should consult with the requiring official to ensure the appropriate
standards are incorporated.
-
Is NIST working exclusively with
Microsoft on Security Content Automation Protocol (SCAP) security settings?
No. NIST is currently working with a number
of IT vendors on standardizing security settings for a wide variety
of IT products and environments. NIST does this through the NIST
Security Configuration Checklists Program for IT Products. The NIST
process for creating, vetting, and making security checklists
available for public use is documented in NIST SP 800-70
revision 1- Security
Configuration Checklists Program for IT Products: Guidance for
Checklists Users and Developers. For more information about the
National Checklist Program visit
http://checklists.nist.gov/. If IT vendors would like to
standardize additional security settings with NIST, please contact
checklists@nist.gov.
-
Is OMB mandating that each setting be
applied as stated in the spreadsheet and Security Content Automation
Protocol (SCAP) content? What if we
want to implement stronger settings? Yes, all of the settings are required in
order to be compliant, however agencies are free to implement values
that are more restrictive than those listed in the FDCC settings.
The FDCC settings establish a target that agencies are encouraged
to surpass when feasible.
-
Is FDCC applicable to special purpose
(e.g., scientific, medical, process control, and experimental
systems) computers? The primary targets of FDCC are
general-purpose systems such as managed desktops and laptops.
Embedded computers, process control systems, specialized scientific
or experimental systems, and similar systems using Windows XP or
Vista are out of the scope of FDCC. Of course, such systems still
require appropriate protection and application of sound risk
management principles. In general, for such systems agencies should
examine the FDCC security configuration for applicability where
feasible and appropriate.
-
Is FDCC applicable to Windows XP and
Vista computers used as servers?
No, Windows XP and Vista computers not
categorized as desktops or laptops are out of scope for FDCC.
-
Does the FDCC Security
Content Automation Protocol (SCAP) apply only to
desktop systems? FDCC applies to both desktops and laptops
that are deployed and connected directly to the organization's
network, even those only connected intermittently.
-
Is FDCC applicable to contractor
computers? Yes, Windows XP and Vista computers that are
owned or operated by a contractor on behalf of or for the USG or are
integrated into a Federal system are subject to FDCC.
-
How does FDCC relate to FISMA
compliance and SP 800-53? Per OMB Memorandum M-08-21, “FY
2008 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management,” the following
configuration management questions are provided regarding FDCC:
-
Indicate which aspects of Federal
Desktop Core Configuration (FDCC) have been implemented as of
this report:
-
Agency has adopted and implemented
FDCC standard configurations and has documented
deviations. Yes or No.
-
New Federal Acquisition Regulation
2007-004 language, which modified "Part 39—Acquisition
of Information Technology,” is included in all contracts
related to common security settings. Yes or No.
-
All Windows XP and VISTA computing
systems have implemented the FDCC security settings. Yes
or No.
-
How do I report compliance and
deviations? To whom do I report that information? Is there a
specific reporting format? The first FDCC reporting deadline was March
31, 2008. The reporting requirements for that date have passed,
the only reporting relating to FDCC that agencies are
currently required to perform is part of their standard FISMA report, as
described in this OMB Memorandum M-08-22, "Guidance
on the Federal Desktop Core Configuration (FDCC),"
which states:
-
Indicate which aspects of Federal
Desktop Core Configuration (FDCC) have been implemented as of
this report:
-
Agency has adopted and implemented
FDCC standard configurations and has documented
deviations. Yes or No.
-
New Federal Acquisition Regulation
2007-004 language, which modified "Part 39—Acquisition
of Information Technology,” is included in all contracts
related to common security settings. Yes or No.
-
All Windows XP and VISTA computing
systems have implemented the FDCC security settings. Yes
or No.
-
Where can I find a centralized list of
FDCC compliant applications?
IT product vendors are actively testing
their applications for compliance with the FDCC Security Content
Automation Protocol (SCAP), and
information on compliance will be made available at the vendors'
sites. Agencies are welcome to share FDCC compliance testing
information with the understanding that each individual CIO is
responsible for fulfilling the requirements in OMB Memorandum
M-07-18.
-
What versions and Service Pack levels
of XP and Vista does FDCC apply to? FDCC Major
Version 1.1 is based on Microsoft Windows XP Service Pack (SP) 2
and Microsoft Windows Vista SP 1. Although Security Content
Automation Protocol (SCAP) Content has been engineered so that
it will also operate on Windows XP SP3, near-term Windows XP
patch checking covers both SP2 and SP3. It is understood that many managed environments throughout
the Federal government implement service packs shortly after their
release. While near-term Windows XP checking is based on Windows
XP/SP2, we do not anticipate any significant measurement issues for
Windows XP/SP3.
-
What tools are used to edit the XML
Security Content Automation Protocol (SCAP) data and GPOs?
The XCCDF and OVAL content are edited an
XML Editor and Notepad. Open-source or commercial XML editors can be
used to edit the SCAP content. The GPOs are edited using the Group
Policy Editor, gpedit.msc.
-
How are vendors required to prove FDCC compliance? There is no formal compliance process;
vendors of information technology products must self-assert FDCC
compliance. They are expected to ensure that their products function
correctly with computers configured with the FDCC settings. The
product installation process must make no changes to the FDCC
settings. Applications must work with users who do not have
administrative privileges, the only acceptable exception being
information technology management tools. Vendors must test their
products on systems configured with the FDCC settings, they must use
SCAP validated tools with FDCC Scanner capability to certify their
products operate correctly with FDCC configurations and do not alter
FDCC settings. The OMB provided suggested language in this memo:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf,
vendors are likely to encounter similar language when negotiating
with agencies.
Top
of Page
FDCC Laboratory Testing
-
How often does NIST
publish updates to the Online resources?
In support of OMB and Federal organizations,
with assistance from NSA, DISA, Microsoft, and third-party tool
vendors NIST periodically publishes updated content. The planned
schedule is as follows:
- Monthly updates to the SCAP content
that include information about the latest hotfixes for Windows
Vista and Windows XP.
- Quarterly updates to the SCAP content to address flaws or to
support newer XCCDF and OVAL formats.
- Quarterly updates to the settings spreadsheet to address
flaws.
- Quarterly updates to the virtual hard drives (VHD) to
address flaws and to reset the expiration dates for the trial
versions of Windows Vista and Windows XP.
- Less frequent updates to all of the resources to accommodate
changes to the FDCC settings themselves that have been approved
by the Federal CIO Council FDCC Change Control Board.
-
What version of Microsoft Internet
Explorer was tested?
Internet Explorer 7.0 was tested.
-
What if I use a browser other than
Internet Explorer 7.0?
While settings for other browsers were not tested,
Federal organizations are free to use other Web browser software
instead of or in addition to Internet Explorer 7.0 (IE7). If agencies are
using Internet Explorer, NIST recommends that they use IE7. When
using other browsers agencies must extrapolate the FDCC settings for
IE7 to their chosen browser whenever possible.
-
Were any Microsoft Office security
configurations of the FDCC tested?
Microsoft Office is not part of the FDCC mandate.
It is not installed on the VHDs nor are Microsoft Office settings
included in GPOs.
-
To comply with the FDCC, are Federal
organizations required to use the Microsoft Windows Firewall?
No. The FDCC Security Content Automation Protocol
(SCAP) requires the use of a
personal firewall and includes the Microsoft Windows Firewall
settings, because it is enabled with the operating system
installation. However, Federal organizations are free to use other
desktop firewall software instead of the Microsoft Windows Firewall.
-
Is Microsoft Defender and/or other
malware scanning software included in the FDCC settings?
Yes. Microsoft Defender is installed on FDCC VHDs;
however, there is currently no configuration guidance for this
product other than the default settings provided by Microsoft. As is
the case with the Microsoft Windows Firewall, NIST recommends the
use of malware scanning utilities, but does not recommend any
particular vendor's product.
Top
of Page
FDCC Agency Testing
-
What are Virtual PCs (VPC), and what
is the difference between a VPC and a Virtual Hard Disk (VHD)? DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
Virtual PC (VPC) is a Microsoft product that
allows users to run a virtual instance of an operating system (aka
Virtual Hard Disk) within an already running instance of an
operating system (aka non-virtual OS). The Virtual Hard Disk (VHD)
can utilize the hardware of the computer (e.g., hard drive, Ethernet
card, USB ports) in the same way the non-virtual OS does. From the
non-virtual OS, the VHD appears as a single, large *.vhd file.
-
Why are VHDs beneficial? DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
VHDs are very useful for both laboratory and
deployment testing. While software can be installed on a VHD in the
same way software is installed on normal operating systems, VHDs can
be discarded and re-implemented very quickly for the purposes of
ensuring a pristine testing environment or if something
malfunctioned with the previous VHD. Additionally, multiple VHDs can
be run over a single physical platform to achieve cost savings.
-
When will VHDs
expire, and how o DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
According to Microsoft licensing, VHD licenses
expire after 120 days. FDCC test VHDs will be published quarterly
and can be found at:
http://nvd.nist.gov/fdcc/download_fdcc.cfm
-
What can be downloaded from the FDCC
technical site? DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
The FDCC technical Web site contains Windows Vista
and Windows XP FDCC policy documentation, VHD files, Group Policy
Object (GPO) files, and SCAP content files.
-
Must I use WinZip to reassemble the
segmented VHD files? What if I don't have WinZip? DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
To enable more manageable download of the
multi-gigabyte virtual images, NIST elected to provide WinZip
segmented files. To the best of our knowledge, these files can only
be re-assembled with WinZip. Agency/department representatives who
prefer a non-segmented virtual machine image can write to
fdcc@nist.gov with their
affiliation and a shipping address. Once affiliation is confirmed, a
non-segmented virtual machine image will be shipped on a DVD to your
attention.
-
I am unable to decompress the VHD
file. DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
Verify that the file name extensions are correct.
Internet Explorer may change the extension of one or more of the
files, for each segmented archive the first file’s extension should
be .zip, the others should be .z01, .z02, .z03, etc. You may have to
manually correct these in order to decompress the archive. If this
does not resolve your problem you can write to
fdcc@nist.gov to request a DVD
with non-segmented versions of the files.
-
Can I use the VHDs, GPOs, .inf, and
Security Content Automation Protocol (SCAP) content in an operational environment? DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
It is recommended that VHDs, GPOs, .inf, and SCAP
content be used in a test and evaluation environment. After careful
and comprehensive testing, an organization may decide to use the GPO, .inf, and/or
SCAP content in the production environment. VHDs are provided for
laboratory testing purposes only and are not to be used as a
deployment image.
-
What are the accounts and passwords
that I can use to log on to the FDCC test VPCs? DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
-
Windows Vista - FDCC_Admin and P@ssw0rd123456
-
Windows XP - Renamed_Admin and P@ssw0rd123456
-
How do I use the VHDs?
DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
NIST suggests you first make a backup copy of the
downloaded VHD files. Then install the
Virtual PC software as obtained from Microsoft. Next, run the
New Virtual Machine wizard to create a new VPC that will use the
downloaded VHD file. Consult the Virtual PC documentation for
additional informaiton.
-
What should I consider before I run
the VHDs? DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
NIST recommends that you install and configure
antivirus software and set the VPC networking setting to "Local
only" or "Not Connected." Consult the Virtual PC
documentation for information about these settings.
-
Who produces the VHDs? DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
At the request of OMB, Microsoft produces the VHDs
with input from many departments and agencies including DHS, DISA,
OMB, NIST, NSA, and USAF.
-
Does the Security
Content Automation Protocol (SCAP) Content & GPOs for FDCC
cover 100% of the FDCC settings? If not what is missing and why?
No, there are a small number of settings that cannot be
automated at this time. Settings not checked by SCAP content:
-
Vista Firewall
-
IPv6 Block of Protocols 41
-
IPv6 Block of UDP 3544
-
Windows XP
-
Network access: Allow anonymous SID-Name
translation
- Windows Vista
-
Network access: Allow anonymous SID-Name
translation
Settings not implemented through Group Policy
Objects:
-
Vista
-
Configure Microsoft Spynet Reporting
-
Disable ISATAP, Teredo, and 6to4 tunneling
protocols
-
All 47 Vista audit policy settings
(contained in "FDCC Other Settings\Audit Policy Group")
-
Some settings listed in the
spreadsheet do not appear in the group policy editor.
The FDCC includes security settings that don’t
appear in the default user interface for the group policy editor.
The settings with the “MSS:” prefix were introduced by Microsoft in
their security guides for Windows Server 2003 and Windows XP. You
can review this article on
Microsoft's FDCC blog
for more details on how to modify the
editor to make these settings visible
-
When I try to view and edit the group
policies on a computer running Windows XP or Windows Server 2003 I
receive an error message.
The group policy objects available on the FDCC
website were created on computers running Windows Vista or Windows
Server 2008. Some of them may include settings that are new to those
versions of Windows. For example, the Windows Firewall With Advanced
Security was introduced in Windows Vista. Earlier versions of
Windows cannot be used to manage these group policy objects.
-
I have also encountered errors when
using the Group Policy Results feature on a computer running Windows
Vista with Service Pack 1.
Microsoft published information about an error
that can arise after applying the FDCC settings to a computer.
Navigating to settings below the Computer Configuration\Windows
Settings\Security Settings\ container can result in an error. You
can learn more about this situation by visiting
their FDCC blog. Microsoft has a hotfix available for this
problem; to obtain it you must contact Microsoft Customer Support
and reference Knowledgebase number 955857 because it is not yet
publicly available.
-
What are the differences between “Not
Applicable,” “Not Defined,” and “Not Configured” in the settings
spreadsheet?
“Not Applicable” means that the setting is not
available in that version of Windows. For example, there are many
new settings in Windows Vista that will have no affect on computers
running Windows XP including the settings for the Windows Firewall
with Advanced Security. “Not Defined” and “Not Configured” are
functionally equivalent, they mean that the FDCC does not require
any specific value for that setting and agencies are free to
configure it however they wish.
-
I
am responsible for implementing FDCC
in my organization. I have many questions and concerns. Who is the
correct person for me to call?
Please review the FDCC FAQs and send any
unresolved
inquiries to fdcc@nist.gov.
-
I just downloaded and extracted the Virtual PC files but I only
see a virtual hard drive (.VHD) file, no virtual machine (.VMC). DEPRECATED
The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html
Legacy Answer
Virtual PC uses .VMC files to store information about each
virtual machine including network adapters and memory
allocation. To use the FDCC virtual hard drives you need to
create a new virtual machine and specify the desired .VHD file
for it.
-
I have tried several scanners, none seem to be able to
accurately detect user-specific settings.
The FDCC includes both machine settings and user settings, the
latter are stored in each user's profile. When a user logs in
Windows loads their profile and maps the user-specific registry
settings to the HKEY_Current_User hive, commonly referred to as
HKCU. For automated scanners its exceedingly difficult to
determine whether user settings such as the screen saver time
out and AutoComplete settings for Internet Explorer are
configured correctly. If no user is logged on then HKCU will not
exist; the scanner could attempt to examine all of the user
profiles stored on the computer, however these may include some
that do not need the FDCC settings. Vendors may attempt to
address this situation in various ways, however in many cases
the administrator will have to manually verify the user-specific
settings. The following table illustrates the user-specific
settings included in the FDCC:
Policy Setting Name
|
CCE v4 Reference
|
Vista CCE v5 Reference
|
XP CCE v5 Reference
|
Configure Outlook Express
|
CCE-963
|
CCE-3275-5
|
CCE-3275-5
|
Hide mechanisms to remove zone
information
|
CCE-58
|
CCE-2979-3
|
CCE-5042-7
|
Do not preserve zone information in
file attachments
|
CCE-12
|
CCE-3437-1
|
CCE-4412-3
|
Notify antivirus programs when
opening attachments
|
CCE-372
|
CCE-3300-1
|
CCE-5059-1
|
Prevent users from sharing files
within their profile.
|
CCE-1144
|
CCE-5070-8
|
(Not Applicable)
|
Turn on the Internet Connection
Wizard Auto Detect
|
CCE-258
|
CCE-4036-0
|
CCE-4036-0
|
Disable Internet Connection wizard
|
CCE-769
|
CCE-3825-7
|
CCE-3825-7
|
Disable the Reset Web Settings
feature
|
CCE-625
|
CCE-4226-7
|
CCE-4226-7
|
Turn on the auto-complete feature
for user names and passwords on forms
|
CCE-721
|
CCE-3647-5
|
CCE-3647-5
|
Turn off page transitions
|
CCE-71
|
CCE-4056-8
|
CCE-4056-8
|
Disable AutoComplete for forms
|
CCE-478
|
CCE-4246-5
|
CCE-4246-5
|
Disable external branding of
Internet Explorer
|
CCE-1051
|
CCE-4237-4
|
CCE-4237-4
|
Password protect the screen saver
|
CCE-949
|
CCE-4290-3
|
CCE-4500-5
|
Screen Saver timeout
|
CCE-830
|
CCE-3050-2
|
CCE-2980-1
|
Prompt for password on resume from
hibernate / suspend
|
CCE-509
|
CCE-3169-0
|
CCE-4390-1
|
Turn off Help Experience
Improvement Program
|
CCE-174
|
CCE-5239-9
|
(Not Applicable)
|
Turn off Help Ratings
|
CCE-1109
|
CCE-4851-2
|
(Not Applicable)
|
-
Why do the
Windows XP checks for several user rights fail after I
delete the SUPPORT_388945a0 account?
The SUPPORT_388945a0 account is a special account built
into Windows XP that is used for the Remote Assistance feature.
The FDCC settings require the following user rights be assigned
to this account: "Denied Access To This Computer From The
Network", "Denied Logon As A Batch Job", and "Denied Logon
Locally." If the account is deleted then there is no reason to
assign these rights to it. In other cases where the the SCAP
content checks to see whether an account does or does not have a
specific user right a well-known security identifier (SID) is
used. A SID is a numerical identifier that maps to the
user-friendly name of the account. Many built-in accounts such
as the Administrators group and the Guest account have the same
SID on every computer running Windows, but the SUPPORT_388945a0
account is assigned a random SID during the installation of
Windows XP. This means that the SCAP content checks for the
literal existence of the SUPPORT_388945a0 account name in
the list of accounts for each of these user rights, there is no
way for the SCAP content to distinguish between the deletion of
the account and renaming of the account.
-
I scanned
a NIST provided VHD with an SCAP Validated FDCC Scanner, but several patches were missing. What does this mean?
VHD's include all patches available prior to being posted on http://fdcc.nist.gov for
download. Subsequent patches released by Microsoft are included the next time the VHD is
updated, which may be several months. As a result, these patches are not present on the VHD
and will therefore show up as missing during the scan. This is expected behavior and does
not indicate a deficiency in the product used to scan the VHD.
Top
of Page
Security Content
Automation Protocol
-
What is Security
Content Automation Protocol (SCAP)?
NIST established a suite of
interoperable and automatable security specifications known as the
Security Content Automation Protocol (SCAP). By virtue of using
XML-based standards, SCAP is simultaneously machine and human
readable. The FDCC SCAP content is hosted on the National Checklist
Program website; the National Vulnerability Database is being
expanded to host the SCAP component standards. More information about SCAP
may be found at http://scap.nist.gov/.
-
How are the Security
Content Automation Protocol (SCAP) and
SCAP-validated with FDCC Scanner Capability tools relevant to FDCC?
As part of the iterative VHD image integrity
testing process, engineers ensured that both VHDs and SCAP data
streams were accurately calibrated to represent and test compliance
with the FDCC recommendations. Multiple SCAP-validated with
FDCC Scanner Capability tools were able
to use the same SCAP data stream to validate that the FDCC settings
were properly applied to the VHD. The same SCAP data stream that was
used for testing compliance to the FDCC in the NIST lab can also be
used to determine if newly created images are FDCC compliant.
-
What settings cannot be verified with the current Security Content
Automation Protocol (SCAP) tools?
There are a small number of FDCC settings
which cannot be verified using SCAP at this time:
- Vista Firewall
- IPv6 Block of Protocols 41
- IPv6 Block of UDP 3544
- Windows XP
- Network access: Allow anonymous SID-Name
translation
- Windows Vista
- Network access: Allow anonymous SID-Name
translation
-
Where can I obtain FDCC Security Content Automation Protocol (SCAP) content?
FDCC SCAP content is available for Windows XP and Vista at:
http://nvd.nist.gov/fdcc/download_fdcc.cfm. The
FDCC website hosts all SCAP
reference data, inclusive of profiles for the FDCC and other Windows
XP and Windows Vista security configurations.
-
What is Security Content Automation Protocol (SCAP)-validation?
To enable the goals set forth in OMB Memorandum M-07-18, it is
necessary to have security configuration scanning tools that can use
official SCAP content. In response, NIST established the SCAP
validation program. Implemented through the NIST National Voluntary
Laboratory Accreditation Program (NVLAP), independent laboratories
can be accredited to perform the testing necessary to validate that
security tools can accurately parse the SCAP content required for
their specific functionality. Additional details on SCAP validation
are available at http://scap.nist.gov/validation/.
-
How do I know if a
Tool is Security Content Automation Protocol (SCAP)-validated?
Tools that have achieved NIST SCAP-validated with FDCC Scanner Capability
status will be listed at
http://nvd.nist.gov/scapproducts.cfm. Tools are referenced by their type (configuration
scanner, vulnerability scanner, etc…), as well as by the vendor,
tool name, and specific SCAP components in which the tool has
achieved compliance.
-
How can agencies perform acceptance testing of FDCC compliant
software?
OMB Memorandum
M-08-22, “Guidance
on the Federal Desktop Core Configuration (FDCC),” provides guidance regarding agency
acceptance testing of FDCC compliant software.
-
How can agencies ensure that their systems maintain the FDCC
settings throughout the systems life cycle?
Through the use of SCAP-validated with FDCC Scanner Capability
tools and official FDCC SCAP content, agencies can routinely monitor
their systems to ensure that the FDCC settings have not been altered
as the result of patching, installation of new software, or human
interaction. The tools compare the deployed configuration against
the official SCAP FDCC content and report on any discrepancies so
that corrective action can be taken (some tools may also have an
automatic remediation capability, consult tool vendor). As with FDCC
software acceptance testing, only SCAP-validated configuration scanning tools that are
asserted by the vendor as “FDCC Scanning Capable” on the
SCAP tools webpage
can fully process SCAP FDCC
content.
-
How can agencies use Security Content Automation Protocol (SCAP) FDCC content to automate FISMA compliance
of technical controls?
SCAP-validated tools, which agencies use to continuously monitor FDCC
settings, can output FISMA technical control compliance evidence.
The OVAL and XCCDF-based SCAP content has FISMA compliance mappings embedded in it
so that SCAP-validated tools can automatically generate NIST
Special Publication (SP) 800-53 assessment and compliance evidence.
Each low level security configuration check is mapped to the
appropriate high level NIST SP 800-53 security controls. The assessment procedures
found in
NIST SP 800-53A
are linked, where appropriate, to the SCAP automated testing of
information system mechanisms and associated security configuration
settings. In addition, the FDCC SCAP content also contains mappings
to other high level policies (e.g., ISO, DOD 8500, FISCAM) and SCAP
tools may also output those compliance mappings. There exists
additional SCAP content that can also be used by agencies to
automate FISMA technical control compliance. This SCAP content is
available at http://scap.nist.gov.
-
How can agencies report their compliance to the FDCC?
Agencies must use tools that are
SCAP-validated with FDCC Scanner Capability to scan for both FDCC
configurations and configuration deviations approved by department
or agency accrediting authority. Agencies must also use these tools
when monitoring use of these configurations as part of FISMA
continuous monitoring. See OMB Memorandum
M-08-22, “Guidance
on the Federal Desktop Core Configuration (FDCC)”
for more details for the reporting requirements. In part,
that memorandum states the following:
- Indicate which aspects of Federal
Desktop Core Configuration (FDCC) have been implemented as of
this report:
- 1. Agency has adopted and
implemented FDCC standard configurations and has documented
deviations. Yes or No.
- 2. New Federal Acquisition
Regulation 2007-004 language, which modified "Part
39—Acquisition of Information Technology,” is included in
all contracts related to common security settings. Yes or
No.
- 3. All Windows XP and VISTA
computing systems have implemented the FDCC security
settings. Yes or No.
-
Are there currently any Security Content Automation Protocol (SCAP)-validated tools?
A list of SCAP validated tools is available at
http://nvd.nist.gov/scapproducts.cfm.
-
Is checking FDCC settings 100% automated through Security Content
Automation Protocol (SCAP)? Will manual
assessment methods be required?
SCAP automates the assessment process for all
but 4 of the FDCC
settings. NIST is actively working to extend the coverage of the
automated tests. However, manual methods will be needed to verify
this small subset of the FDCC settings:
-
Vista Firewall
-
IPv6 Block of Protocols 41
-
IPv6 Block of UDP 3544
-
Windows XP
-
Network access: Allow anonymous SID-Name
translation
- Windows Vista
-
Network access: Allow anonymous SID-Name
translation
-
Will scans based on Security Content Automation Protocol (SCAP) checklists produce results with 100% of all
checks passing?
At present, there are no known discrepancies
in the existing
FDCC SCAP content. When errors are discovered NIST will actively work to improve the accuracy of
the tests as represented in the SCAP data stream, and updated
content will be released periodically. NIST uses
JTrac to
document and monitor the status of known flaws in the FDCC content..
-
Does the FDCC SCAP content utilize WMI? Can the use of WMI cause
issues?
Some setting value checks in the SCAP content use WMI,
specifically, the Resultant Set of Policies (RSOP) namespace.
For example, this is the only public application programming
interface (API) for checking the value of Network
access: Allow anonymous SID-Name translation. The Internet
Explorer Maintenance Policy Processing and the Kerberos settings
are also checked in this manner. NIST is not aware of any
accuracy issues related to using WMI, however it can be slightly
slower than examining examining registry other methods.
Top
of Page
-
What are some settings that will impact system functionality that I
should test before I deploy the OMB mandated FDCC Security
Content Automation Protocol (SCAP) in an
operational environment?
There are a number of settings that will impact system functionality
and agencies should test thoroughly before they are deployed in an
operational environment.
- Running the system as a standard user - some applications may not
work properly because they require administrative access to the
operating system and application directories and registry keys.
- Minimum 12 characters password and change every 60 days - this may
impact system usability and interoperability with some enterprise
single sign-on password management systems.
- Wireless service - the wireless service is disabled and this will
prevent the use of Wi-Fi network interfaces that depend on the
built-in wireless service.
- The “System cryptography: Use FIPS
compliant algorithms for encryption, hashing, and signing”
setting has been a required setting for several years, even
before the FDCC mandate was announced. It is known to impact
browser interoperability with Web sites that do not support the
FIPS 140-2 approved algorithms. This can usually be corrected by
changing the Web server configuration to support FIPS 140-2
approved algorithms. Refer to this
knowledgebase article.
It also affects the encryption algorithm used for the Remote
Desktop Protocol (RDP), RDP is the protocol used by Terminal
Services, Remote Desktop, and Remote Assistance. RDP connections
will fail if both computers are not configured to use the same
encryption algorithm. Computers running Windows XP can be
updated to the latest version of Microsoft’s RDP client in order
to connect to Terminal Services servers, however, there is no
update for the RDP server included with Windows XP. This means
that computers running Windows XP with this setting enabled
cannot support incoming Remote Desktop and Remote Assistance
connections. See this
knowledgebase article for more information:
- Unsigned drivers installation behavior - drivers that are not
digitally signed by Microsoft cannot be installed under Windows XP.
- Windows Firewall - the built-in firewall may prevent other
applications from communicating with some applications.
- Additional settings - refer to this
knowledgebase article
for additional settings that may impact system interoperability with
legacy systems.
-
What is the envisioned deployment method for FDCC?
Organizations have taken a variety of approaches.
Some smaller organizations may implement local configuration
through batch and *.inf files, others might employ local group
policy. Larger organizations could implement the FDCC security settings using
Active Directory Microsoft Group Policy Objects (GPO).
Approximately 98% of all FDCC settings may be implemented through
GPOs. The remaining security settings must be implemented locally
through *.inf, batch, or manual methods. Other enterprise management
technologies can be used instead.
-
How should I deploy the FDCC settings? With the VHDs or the GPOs?
What works best will vary from one organization to the next. The
VHDs are very useful because they already have the FDCC settings
applied and you can begin testing quickly. Additionally, by keeping
the original VHDs you downloaded from NIST pristine and creating
copies of it for actual testing you can quickly reconstitute your
test environment for each round of testing. You can also use Virtual
PCs undo disks to make it easier to revert to an earlier version of
your VHD. However, when you need to deploy the FDCC settings into
production the VHDs won’t be very useful, as there is no documented
method for creating domain-based group policies from the local
configuration on these stand-alone computers.
On the other hand, the GPOs can be copied into whatever
Active Directory test domain
you already have established, and when testing is complete you can
use the Group Policy Management Console to backup the final GPOs.
Then you can copy these backed up files into your production
environment and import them into your production Active Directory
domain. Some SCAP-validated tools may also be able to enforce the
mandated settings, check with the tool vendors to determine the
capabilities of their tools.
-
My agency does not use Active Directory yet we have many computers
to manage. How can we most easily implement the FDCC settings on
stand-alone systems?
Microsoft recently published a utility for
applying the FDCC settings to stand-alone systems by modifying the
local GPO. The utility is available on their FDCC Blog:
Set_FDCC_LGPO: Utility to
apply FDCC settings to local group policy.
However, before using this approach be certain that you understand
the disclaimers on that page. The tool is not officially supported
by Microsoft so you may need to discuss what kind of support will be
available with your Microsoft representative. Note that NIST is
unable to provide support for this tool.
You can also implement the settings by creating your own batch files
or scripts. You could apply them directly to the registry and
leverage utilities such as auditpol.exe on Windows Vista and netsh
on both Windows Vista and Windows XP.
-
How do I apply Microsoft GPOs to one of several different operating
systems I manage through the Group Policy Management Console (GPMC)?
As viewed through the Microsoft Group Policy Management Console
(GPMC), applying GPOs to specific Windows operating systems can be
accomplished using a Windows Management Instrumentation (WMI) filter
(WMI filtering is only recognized on Windows Vista, Windows XP, and
Windows Server 2003). More specifically, create a WMI filter that
selects applicable operating systems, and link that filter to the
GPO applicable for those operating systems. If computers with
Windows 2000 or previous Windows operating systems are present
within the enterprise, these computers must be granted exception
from the group policy using the Deny Read and Deny Apply Group
Policy settings. The following two sources provide additional
detail:
-
Does the FDCC Security
Content Automation Protocol (SCAP) include specific USG digital certificates?
The FDCC Security Content Automation Protocol (SCAP) includes root and intermediate CA certificates for
the DoD and civilian agencies in the trusted stores for both the
Windows XP and Vista VHDs.
-
Can a standard user share files using the Microsoft file or
peer-to-peer sharing protocols?
The FDCC settings disable the Microsoft Peer-to-Peer networking services. The
Windows firewall is also configured to prevent local file sharing.
If a third-party firewall is used, it is recommended that it
prevents the system from sharing files on the local system.
-
Does the FDCC Security
Content Automation Protocol (SCAP) include power management specific settings?
The FDCC Security Content
Automation Protocol (SCAP) does not make any specific recommendation about
the power management settings. By default, the Windows Vista
utilizes the balanced power settings that will put the system to
sleep in 1 hour on AC power and 15 minutes on battery power. It
turns off the hard disks 20 minutes on AC power and 10 minutes on
battery power. It turns off the display in 20 minutes on AC power
and 5 minutes on battery power. Consult your organization's
administrators to determine if these values are compliant with your
agency's policies.
-
Does the password policy apply only to local accounts?
No, the password policy applies to both local and domain accounts.
-
Is FDCC applicable to domain accounts (versus local)?
Yes, FDCC is applicable to any domain configurations that manifest
themselves in local FDCC settings. For instance, password length
managed at the domain level manifests itself at each desktop and
laptop. Therefore, password length, whether managed via domain or
locally, is subject to FDCC.
-
Does the password policy apply to Windows XP and Vista only or is it
also applicable to all applications installed on the XP and Vista
systems?
On a Windows XP or Vista system, any system components,
applications, or utilities that use the XP or Vista authentication
mechanism, in particular the user's Windows authentication token,
must comply with the FDCC password policy. This will leave out
third-party applications such as Web applications and client
applications that use a separate security token for authentication. For example, my Windows authentication token allows me to gain
logical access to my desktop, email account, calendaring software,
etc. It will comply with the FDCC password policy. I use a distinct
authentication token to run a Web application to connect to a travel
management system, an enterprise application, or a Federal employee
benefits or retirement system. In these cases, my authentication
token will comply with the policy instituted on the specific server
and services that I am trying to use.
-
Must my administrator account be renamed to "Renamed_Admin"?
No, alternate names are fine. In fact, we suggest you discard "Renamed_Admin"
and use something unique.
-
One of the FDCC settings does not allow the installation of unsigned
device drivers. In order to be compliant, do we need to remove
unsigned device drivers that are already installed on a general
purpose computing devices?
Strictly speaking, yes, you need to remove unsigned device drivers
to be compliant on general purpose computing devices. That said, it
is understood that certain unsigned device drivers may be critical
to business/mission IT. Any unsigned device drivers that are
critical to your operation must be annotated as business/mission
critical deviations.
-
FDCC settings prohibit wireless. Are there any conditions under
which wireless is allowed? Airport? Hotel? We have implemented
wireless within our enterprise. Do I really need to disable
wireless? What if I am using a third-party wireless client?
The FDCC wireless setting specifies that all wireless interfaces
should be disabled. The intention of the recommendation is not to
prevent or prohibit wireless use, but to reduce the exposure of
wireless-equipped devices accidentally connecting to insecure (e.g.,
unencrypted) and unauthorized wireless access points and end-users
purposefully connecting to insecure and unauthorized wireless access
points. Wireless configuration for authorized enterprise wireless
networks should be documented and reflected in the organization's
FDCC deviation report.
Third-party wireless clients still utilize the wireless interface of
the Windows XP or Vista operating system. Therefore, they are
subject to the logic above.
-
Does the system need to have IE7 installed to be FDCC compliant?
While settings for other browsers were not tested,
Federal organizations are free to use other Web browser software
instead of or in addition to Internet Explorer 7.0 (IE7). If agencies are
using Internet Explorer, NIST recommends that they use IE7. When
using other browsers agencies must extrapolate the FDCC settings for
IE7 to their chosen browser whenever possible.
-
FDCC settings prohibit escalated privileges from being granted to
ordinary end-users. What is considered an escalated privilege?
Any privilege that is not a default user right in XP or Vista is
considered under the FDCC as an escalated privilege. The security
inherent in FDCC relies partly on the fact that typical users are
only assigned standard user rights. Assigning any additional rights
to typical users or user groups circumvents this layer of security
by allowing users to run with escalated privileges. Assigning
"Administrative" or "Power User" roles are two examples of
escalating the privileges of the user.
-
Why do the FDCC settings
restrict the use of some IPv6 technologies?
The FDCC settings do not preclude the use of IPv6, merely the
transitional technologies such as ISATAP and Teredo. These
technologies are disabled so that they are not used as a
communication channel that bypasses other network controls such
as firewalls and IPsec.
Top
of Page
Please
send comments if your questions
were not answered here.
Top
of Page
|