NVD Banner
Vulnerabilities Checklists 800-53/800-53A Product Dictionary Impact Metrics Data Feeds Statistics
Home SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments
FDCC

 

white space

white space

Federal Desktop Core Configuration
FDCC

FDCC Technical FAQs - 2009.04.13

This frequently asked questions (FAQ) document addresses subjects associated with the March 2007 OMB-mandated Federal Desktop Core Configuration (FDCC). Topics include the FDCC, laboratory testing of the FDCC, agency testing of the FDCC, use of the Security Content Automation Protocol (SCAP) to evaluate computers for FDCC compliance, deploying the FDCC, and reporting deviations to the FDCC.

Federal Desktop Core Configuration

FDCC Laboratory Testing

FDCC Agency Testing

Security Content Automation Protocol

FDCC Deployment

Federal Desktop Core Configuration

  1. What is the Federal Desktop Core Configuration (FDCC)?

  2. What operating systems have FDCC settings?

  3. Where can I obtain security configuration information for operating systems other than Windows XP and Windows Vista?

  4. How was the FDCC created?

  5. Is NIST endorsing or mandating the use of the Windows XP or Windows Vista operating systems or requiring each setting be applied as stated?

  6. Is NIST working exclusively with Microsoft on security settings?

  7. Is OMB mandating that each setting be applied as stated in the spreadsheet and Security Content Automation Protocol (SCAP) content? What if we want to implement stronger settings?

  8. Is FDCC applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?

  9. Is FDCC applicable to Windows XP and Vista computers used as servers?

  10. Does the FDCC Security Content Automation Protocol (SCAP) apply only to desktop systems?

  11. Is FDCC applicable to contractor computers?

  12. How does FDCC relate to FISMA compliance and SP 800-53?

  13. How do I report compliance and deviations? To whom do I report that information? Is there a specific reporting format?

  14. Where can I find a centralized list of FDCC compliant applications?

  15. What versions and Service Pack levels of XP and Vista does FDCC apply to?

  16. What tools are used to edit the XML Security Content Automation Protocol (SCAP) data and GPOs?

  17. How are vendors required to prove FDCC compliance?

FDCC Laboratory Testing

  1. How often does NIST publish updates to the online resources?

  2. What version of Microsoft Internet Explorer was tested?

  3. What if I use a browser other than Internet Explorer 7.0?

  4. Were any Microsoft Office security configurations of the FDCC tested?

  5. To comply with the FDCC, are Federal organizations required to use the Microsoft Windows Firewall?

  6. Is Microsoft Defender and/or other malware scanning software included in the FDCC settings?

FDCC Agency Testing

  1. What are Virtual PCs (VPC), and what is the difference between a VPC and a Virtual Hard Disk (VHD)? DEPRECATED

  2. Why are VHDs beneficial? DEPRECATED

  3. When will VHDs expire, and how often will they be updated? DEPRECATED

  4. What can be downloaded from the FDCC technical site? DEPRECATED

  5. Must I use WinZip to reassemble the segmented VHD files? What if I don't have WinZip? DEPRECATED

  6. I am unable to decompress the VHD file. DEPRECATED

  7. Can I use the VHDs, GPOs, .inf, and Security Content Automation Protocol (SCAP) content in an operational environment? DEPRECATED

  8. What are the accounts and passwords that I can use to log on to the FDCC test VPCs? DEPRECATED

  9. How do I use the VHDs? DEPRECATED

  10. What should I consider before I run the VHDs? DEPRECATED

  11. Who produces the VHDs? DEPRECATED

  12. Does the Security Content Automation Protocol (SCAP) Content & GPOs for FDCC cover 100% of the FDCC settings? If not what is missing and why

  13. Some settings listed in the spreadsheet do not appear in the group policy editor.

  14. When I try to view and edit the group policies on a computer running Windows XP or Windows Server 2003 I receive an error message.

  15. I have also encountered errors when using the Group Policy Results feature on a computer running Windows Vista with Service Pack 1.

  16. What are the differences between “Not Applicable,” “Not Defined,” and “Not Configured” in the settings spreadsheet?

  17. I am responsible for implementing FDCC in my organization. I have many questions and concerns. Who is the correct person for me to call?

  18. I just downloaded and extracted the Virtual PC files but I only see a virtual hard drive (.VHD) file, no virtual machine (.VMC). DEPRECATED

  19. I have tried several scanners, none seem to be able to accurately detect user-specific settings.

  20. Why do the Windows XP  checks for several user rights fail after I delete the SUPPORT_388945a0 account?

  21. I scanned a NIST provided VHD with an SCAP Validated FDCC Scanner, but several patches were missing. What does this mean?

Security Content Automation Protocol

  1. What is the Security Content Automation Protocol (SCAP)?

  2. How are the Security Content Automation Protocol (SCAP) and SCAP-validated with FDCC Scanner Capability tools relevant to FDCC?

  3. What settings cannot be verified with the current Security Content Automation Protocol (SCAP) tools?

  4. Where can I obtain FDCC Security Content Automation Protocol (SCAP) content?

  5. What is Security Content Automation Protocol (SCAP) Compliance?

  6. How do I know if a Tool is Security Content Automation Protocol (SCAP)-validated?

  7. How can agencies perform acceptance testing of FDCC compliant software?

  8. How can agencies ensure that their systems maintain the FDCC settings throughout the systems life cycle?

  9. How can agencies use Security Content Automation Protocol (SCAP) FDCC content to automate FISMA compliance of technical controls?

  10. How can agencies report their compliance to the FDCC?

  11. Are there currently any Security Content Automation Protocol (SCAP)-validated tools?

  12. Is checking FDCC settings 100% automated through Security Content Automation Protocol (SCAP)? Will manual assessment methods be required?

  13. Will scans based on Security Content Automation Protocol (SCAP) checklists produce results with 100% of all checks passing?

  14. Does the FDCC SCAP content utilize WMI? Can the use of WMI cause issues?

FDCC Deployment

  1. What are some settings that will impact system functionality that I should test before I deploy the OMB mandated FDCC Security Content Automation Protocol (SCAP) in an operational environment?

  2. What is the envisioned deployment method for FDCC?

  3. How should I deploy the FDCC settings? With the VHDs or the GPOs?

  4. My agency does not use Active Directory yet we have many computers to manage. How can we most easily implement the FDCC settings on stand-alone systems?

  5. How do I apply Microsoft GPOs to one of several different operating systems I manage through the Group Policy Management Console (GPMC)?

  6. Does the FDCC Security Content Automation Protocol (SCAP) include specific USG digital certificates?

  7. Can standard user share file using the Microsoft file or peer-to-peer sharing protocols? Does the FDCC Security Content Automation Protocol (SCAP) include power management specific settings?

  8. Does the FDCC Security Content Automation Protocol (SCAP) include power management specific settings?

  9. Does the password policy apply only to local accounts?

  10. Is FDCC applicable to domain accounts (versus local)?

  11. Does the password policy apply to Windows XP and Vista only or is it also applicable to all applications installed on the XP and Vista systems?

  12. Must my administrator account be renamed to "Renamed_Admin"?

  13. One of the FDCC settings does not allow the installation of unsigned device drivers. In order to be compliant, do we need to remove unsigned device drivers that are already installed on a general purpose computing devices?

  14. FDCC settings prohibit wireless. Are there any conditions under which wireless is allowed? Airport? Hotel? We have implemented wireless within our enterprise. Do I really need to disable wireless? What if I am using a third-party wireless client?

  15. Does the system need to have IE7 installed to be FDCC compliant?

  16. FDCC settings prohibit escalated privileges from being granted to ordinary end-users. What is considered an escalated privilege?

  17. Why do the FDCC settings restrict the use of some IPv6 technologies?

Federal Desktop Core Configuration

  1. What is the Federal Desktop Core Configuration (FDCC)?
    The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating system software. While not addressed specifically as the "Federal Desktop Core Configuration," the FDCC was originally called for in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a corresponding memorandum from OMB to all Federal agency and department Chief Information Officers (CIO).

  2. What operating systems have FDCC settings?
    Currently, FDCC settings are intended for Microsoft Windows XP Professional with Service Pack (SP) 2 or SP 3 and Microsoft Windows Vista Business, Microsoft Windows Vista Enterprise, and Microsoft Windows Vista Ultimate with SP 1.

  3. Where can I obtain security configuration information for operating systems other than Windows XP and Windows Vista?
    From the NIST 800-70 revision 2 at http://csrc.nist.gov/publications/PubsSPs.html#800-70 executive summary page 3 (ES-3), “users from Federal civilian agencies should first search for NIST-produced checklists, which are tailored for civilian agency use. If no NIST-produced checklist is available, then agency-produced checklists from the Defense Information Systems Agency (DISA) or the National Security Agency (NSA) should be used if available or vendor-produced checklists should be used. If these checklists are not available, then checklists from other trusted third parties may be used. Certain checklists on the NCP are mandated for use by federal agencies by the OMB. These include the OMB FDCC checklists for Windows Vista, Windows XP, Internet Explorer 7, Windows XP Firewall, and Windows Vista Firewall.”

  4. How was the FDCC created?
    The Windows Vista FDCC is based on DoD customization of the Microsoft Security Guides for both Windows Vista and Internet Explorer 7.0. Microsoft's Vista Security Guide was produced through a collaborative effort with DISA, NSA, and NIST. The guide reflects the consensus recommended settings from DISA, NSA, and NIST for the Windows Vista platform.

    The Windows XP FDCC is based on Air Force customization of the Specialized Security-Limited Functionality (SSLF) recommendations in NIST SP 800-68 and DoD customization of the recommendations in Microsoft's Security Guide for Internet Explorer 7.0.

  5. Is NIST endorsing or mandating the use of the Windows XP or Windows Vista operating systems or requiring each setting be applied as stated?
    No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows XP or Vista operating systems, nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software for which NIST has not developed a publication, security configuration checklist, or virtual testing environment. Although the FDCC currently applies to Windows XP and Vista, security guidance is available for other platforms. The OMB and GSA updated the Federal Acquisition Regulation (FAR) o    n February 28, 2008, Part 39 now reads as follows:

    (d) In acquiring information technology, agencies shall include the appropriate IT security policies and requirements, including use of common security configurations available from the NIST's website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.

  6. Is NIST working exclusively with Microsoft on Security Content Automation Protocol (SCAP) security settings?
    No. NIST is currently working with a number of IT vendors on standardizing security settings for a wide variety of IT products and environments. NIST does this through the NIST Security Configuration Checklists Program for IT Products. The NIST process for creating, vetting, and making security checklists available for public use is documented in NIST SP 800-70 revision 1- Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers. For more information about the National Checklist Program visit http://checklists.nist.gov/. If IT vendors would like to standardize additional security settings with NIST, please contact checklists@nist.gov.

  7. Is OMB mandating that each setting be applied as stated in the spreadsheet and Security Content Automation Protocol (SCAP) content? What if we want to implement stronger settings?
    Yes, all of the settings are required in order to be compliant, however agencies are free to implement values that are more restrictive than those listed in the FDCC settings. The FDCC settings establish a target that agencies are encouraged to surpass when feasible.

  8. Is FDCC applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?
    The primary targets of FDCC are general-purpose systems such as managed desktops and laptops. Embedded computers, process control systems, specialized scientific or experimental systems, and similar systems using Windows XP or Vista are out of the scope of FDCC. Of course, such systems still require appropriate protection and application of sound risk management principles. In general, for such systems agencies should examine the FDCC security configuration for applicability where feasible and appropriate.

  9. Is FDCC applicable to Windows XP and Vista computers used as servers?
    No, Windows XP and Vista computers not categorized as desktops or laptops are out of scope for FDCC.

  10. Does the FDCC Security Content Automation Protocol (SCAP) apply only to desktop systems?
    FDCC applies to both desktops and laptops that are deployed and connected directly to the organization's network, even those only connected intermittently.

  11. Is FDCC applicable to contractor computers?
    Yes, Windows XP and Vista computers that are owned or operated by a contractor on behalf of or for the USG or are integrated into a Federal system are subject to FDCC.

  12. How does FDCC relate to FISMA compliance and SP 800-53?
    Per OMB Memorandum M-08-21, “FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management,” the following configuration management questions are provided regarding FDCC:

    1. Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report:

      1. Agency has adopted and implemented FDCC standard configurations and has documented deviations. Yes or No.

      2. New Federal Acquisition Regulation 2007-004 language, which modified "Part 39—Acquisition of Information Technology,” is included in all contracts related to common security settings. Yes or No.

      3. All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or No.

  13. How do I report compliance and deviations? To whom do I report that information? Is there a specific reporting format?
    The first FDCC reporting deadline was March 31, 2008. The reporting requirements for that date have passed, the only reporting relating to FDCC that agencies are currently required to perform is part of their standard FISMA report, as described in this OMB Memorandum M-08-22, "    Guidance on the Federal Desktop Core Configuration (FDCC)," which states:

    1. Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report:

      1. Agency has adopted and implemented FDCC standard configurations and has documented deviations. Yes or No.

      2. New Federal Acquisition Regulation 2007-004 language, which modified "Part 39—Acquisition of Information Technology,” is included in all contracts related to common security settings. Yes or No.

      3. All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or No.

  14. Where can I find a centralized list of FDCC compliant applications?
    IT product vendors are actively testing their applications for compliance with the FDCC Security Content Automation Protocol (SCAP), and information on compliance will be made available at the vendors' sites. Agencies are welcome to share FDCC compliance testing information with the understanding that each individual CIO is responsible for fulfilling the requirements in OMB Memorandum M-07-18.

  15. What versions and Service Pack levels of XP and Vista does FDCC apply to?
    FDCC Major Version 1.1 is based on Microsoft Windows XP Service Pack (SP) 2 and Microsoft Windows Vista SP 1. Although Security Content Automation Protocol (SCAP) Content has been engineered so that it will also operate on Windows XP SP3, near-term Windows XP patch checking covers both SP2 and SP3. It is understood that many managed environments throughout the Federal government implement service packs shortly after their release. While near-term Windows XP checking is based on Windows XP/SP2, we do not anticipate any significant measurement issues for Windows XP/SP3.

  16. What tools are used to edit the XML Security Content Automation Protocol (SCAP) data and GPOs?
    The XCCDF and OVAL content are edited an XML Editor and Notepad. Open-source or commercial XML editors can be used to edit the SCAP content. The GPOs are edited using the Group Policy Editor, gpedit.msc.

  17. How are vendors required to prove FDCC compliance?
    There is no formal compliance process; vendors of information technology products must self-assert FDCC compliance. They are expected to ensure that their products function correctly with computers configured with the FDCC settings. The product installation process must make no changes to the FDCC settings. Applications must work with users who do not have administrative privileges, the only acceptable exception being information technology management tools. Vendors must test their products on systems configured with the FDCC settings, they must use SCAP validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. The OMB provided suggested language in this memo: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf, vendors are likely to encounter similar language when negotiating with agencies.

Top of Page

FDCC Laboratory Testing

  1. How often does NIST publish updates to the Online resources?
    In support of OMB and Federal organizations, with assistance from NSA, DISA, Microsoft, and third-party tool vendors NIST periodically publishes updated content. The planned schedule is as follows:

  • Monthly updates to the SCAP content that include information about the latest hotfixes for Windows Vista and Windows XP.
  • Quarterly updates to the SCAP content to address flaws or to support newer XCCDF and OVAL formats.
  • Quarterly updates to the settings spreadsheet to address flaws.
  • Quarterly updates to the virtual hard drives (VHD) to address flaws and to reset the expiration dates for the trial versions of Windows Vista and Windows XP.
  • Less frequent updates to all of the resources to accommodate changes to the FDCC settings themselves that have been approved by the Federal CIO Council FDCC Change Control Board.

  1. What version of Microsoft Internet Explorer was tested?
    Internet Explorer 7.0 was tested.

  2. What if I use a browser other than Internet Explorer 7.0?
    While settings for other browsers were not tested, Federal organizations are free to use other Web browser software instead of or in addition to Internet Explorer 7.0 (IE7). If agencies are using Internet Explorer, NIST recommends that they use IE7. When using other browsers agencies must extrapolate the FDCC settings for IE7 to their chosen browser whenever possible.

  3. Were any Microsoft Office security configurations of the FDCC tested?
    Microsoft Office is not part of the FDCC mandate. It is not installed on the VHDs nor are Microsoft Office settings included in GPOs.

  4. To comply with the FDCC, are Federal organizations required to use the Microsoft Windows Firewall?
    No. The FDCC Security Content Automation Protocol (SCAP) requires the use of a personal firewall and includes the Microsoft Windows Firewall settings, because it is enabled with the operating system installation. However, Federal organizations are free to use other desktop firewall software instead of the Microsoft Windows Firewall.

  5. Is Microsoft Defender and/or other malware scanning software included in the FDCC settings?
    Yes. Microsoft Defender is installed on FDCC VHDs; however, there is currently no configuration guidance for this product other than the default settings provided by Microsoft. As is the case with the Microsoft Windows Firewall, NIST recommends the use of malware scanning utilities, but does not recommend any particular vendor's product.

Top of Page

FDCC Agency Testing

  1. What are Virtual PCs (VPC), and what is the difference between a VPC and a Virtual Hard Disk (VHD)? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    Virtual PC (VPC) is a Microsoft product that allows users to run a virtual instance of an operating system (aka Virtual Hard Disk) within an already running instance of an operating system (aka non-virtual OS). The Virtual Hard Disk (VHD) can utilize the hardware of the computer (e.g., hard drive, Ethernet card, USB ports) in the same way the non-virtual OS does. From the non-virtual OS, the VHD appears as a single, large *.vhd file.

  2. Why are VHDs beneficial? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    VHDs are very useful for both laboratory and deployment testing. While software can be installed on a VHD in the same way software is installed on normal operating systems, VHDs can be discarded and re-implemented very quickly for the purposes of ensuring a pristine testing environment or if something malfunctioned with the previous VHD. Additionally, multiple VHDs can be run over a single physical platform to achieve cost savings.

  3. When will VHDs expire, and how o DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    According to Microsoft licensing, VHD licenses expire after 120 days. FDCC test VHDs will be published quarterly and can be found at: http://nvd.nist.gov/fdcc/download_fdcc.cfm

  4. What can be downloaded from the FDCC technical site? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    The FDCC technical Web site contains Windows Vista and Windows XP FDCC policy documentation, VHD files, Group Policy Object (GPO) files, and SCAP content files.

  5. Must I use WinZip to reassemble the segmented VHD files? What if I don't have WinZip? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    To enable more manageable download of the multi-gigabyte virtual images, NIST elected to provide WinZip segmented files. To the best of our knowledge, these files can only be re-assembled with WinZip. Agency/department representatives who prefer a non-segmented virtual machine image can write to fdcc@nist.gov with their affiliation and a shipping address. Once affiliation is confirmed, a non-segmented virtual machine image will be shipped on a DVD to your attention.

  6. I am unable to decompress the VHD file. DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    Verify that the file name extensions are correct. Internet Explorer may change the extension of one or more of the files, for each segmented archive the first file’s extension should be .zip, the others should be .z01, .z02, .z03, etc. You may have to manually correct these in order to decompress the archive. If this does not resolve your problem you can write to fdcc@nist.gov to request a DVD with non-segmented versions of the files.

  7. Can I use the VHDs, GPOs, .inf, and Security Content Automation Protocol (SCAP) content in an operational environment? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    It is recommended that VHDs, GPOs, .inf, and SCAP content be used in a test and evaluation environment. After careful and comprehensive testing, an organization may decide to use the GPO, .inf, and/or SCAP content in the production environment. VHDs are provided for laboratory testing purposes only and are not to be used as a deployment image.

  8. What are the accounts and passwords that I can use to log on to the FDCC test VPCs? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

  • Windows Vista - FDCC_Admin and P@ssw0rd123456
  • Windows XP - Renamed_Admin and P@ssw0rd123456

  1. How do I use the VHDs? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    NIST suggests you first make a backup copy of the downloaded VHD files. Then install the Virtual PC software as obtained from Microsoft. Next, run the New Virtual Machine wizard to create a new VPC that will use the downloaded VHD file. Consult the Virtual PC documentation for additional informaiton.

  2. What should I consider before I run the VHDs? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    NIST recommends that you install and configure antivirus software and set the VPC networking setting to "Local only" or "Not Connected." Consult the Virtual PC documentation for information about these settings.

  3. Who produces the VHDs? DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    At the request of OMB, Microsoft produces the VHDs with input from many departments and agencies including DHS, DISA, OMB, NIST, NSA, and USAF.

  4. Does the Security Content Automation Protocol (SCAP) Content & GPOs for FDCC cover 100% of the FDCC settings? If not what is missing and why?
    No, there are a small number of settings that cannot be automated at this time. Settings not checked by SCAP content:

  • Vista Firewall
    • IPv6 Block of Protocols 41
    • IPv6 Block of UDP 3544
  • Windows XP
    • Network access: Allow anonymous SID-Name translation
  • Windows Vista
    • Network access: Allow anonymous SID-Name translation

Settings not implemented through Group Policy Objects:

  • Vista
    • Configure Microsoft Spynet Reporting
    • Disable ISATAP, Teredo, and 6to4 tunneling protocols
    • All 47 Vista audit policy settings (contained in "FDCC Other Settings\Audit Policy Group")

  1. Some settings listed in the spreadsheet do not appear in the group policy editor.
    The FDCC includes security settings that don’t appear in the default user interface for the group policy editor. The settings with the “MSS:” prefix were introduced by Microsoft in their security guides for Windows Server 2003 and Windows XP. You can review this article on Microsoft's FDCC blog for more details on how to modify the editor to make these settings visible

  2. When I try to view and edit the group policies on a computer running Windows XP or Windows Server 2003 I receive an error message.
    The group policy objects available on the FDCC website were created on computers running Windows Vista or Windows Server 2008. Some of them may include settings that are new to those versions of Windows. For example, the Windows Firewall With Advanced Security was introduced in Windows Vista. Earlier versions of Windows cannot be used to manage these group policy objects.

  3. I have also encountered errors when using the Group Policy Results feature on a computer running Windows Vista with Service Pack 1.
    Microsoft published information about an error that can arise after applying the FDCC settings to a computer. Navigating to settings below the Computer Configuration\Windows Settings\Security Settings\ container can result in an error. You can learn more about this situation by visiting their FDCC blog. Microsoft has a hotfix available for this problem; to obtain it you must contact Microsoft Customer Support and reference Knowledgebase number 955857 because it is not yet publicly available.

  4. What are the differences between “Not Applicable,” “Not Defined,” and “Not Configured” in the settings spreadsheet?
    “Not Applicable” means that the setting is not available in that version of Windows. For example, there are many new settings in Windows Vista that will have no affect on computers running Windows XP including the settings for the Windows Firewall with Advanced Security. “Not Defined” and “Not Configured” are functionally equivalent, they mean that the FDCC does not require any specific value for that setting and agencies are free to configure it however they wish.

  5. I am responsible for implementing FDCC in my organization. I have many questions and concerns. Who is the correct person for me to call?
    Please review the FDCC FAQs and send any unresolved inquiries to fdcc@nist.gov.

  6. I just downloaded and extracted the Virtual PC files but I only see a virtual hard drive (.VHD) file, no virtual machine (.VMC). DEPRECATED

    The FDCC Virtual Hard Drive (VHD) files are out of date and have been removed, they will not be updated in the future. The FDCC FAQ has been superseded by the USGCB FAQ, please visit the USGCB FAQ for more information: http://usgcb.nist.gov/usgcb_faq.html

    Legacy Answer

    Virtual PC uses .VMC files to store information about each virtual machine including network adapters and memory allocation. To use the FDCC virtual hard drives you need to create a new virtual machine and specify the desired .VHD file for it.

  7. I have tried several scanners, none seem to be able to accurately detect user-specific settings.
    The FDCC includes both machine settings and user settings, the latter are stored in each user's profile. When a user logs in Windows loads their profile and maps the user-specific registry settings to the HKEY_Current_User hive, commonly referred to as HKCU. For automated scanners its exceedingly difficult to determine whether user settings such as the screen saver time out and AutoComplete settings for Internet Explorer are configured correctly. If no user is logged on then HKCU will not exist; the scanner could attempt to examine all of the user profiles stored on the computer, however these may include some that do not need the FDCC settings. Vendors may attempt to address this situation in various ways, however in many cases the administrator will have to manually verify the user-specific settings. The following table illustrates the user-specific settings included in the FDCC:

    Policy Setting Name

    CCE v4 Reference

    Vista CCE v5 Reference

    XP CCE v5 Reference

    Configure Outlook Express

    CCE-963

    CCE-3275-5

    CCE-3275-5

    Hide mechanisms to remove zone information

    CCE-58

    CCE-2979-3

    CCE-5042-7

    Do not preserve zone information in file attachments

    CCE-12

    CCE-3437-1

    CCE-4412-3

    Notify antivirus programs when opening attachments

    CCE-372

    CCE-3300-1

    CCE-5059-1

    Prevent users from sharing files within their profile.

    CCE-1144

    CCE-5070-8

    (Not Applicable)

    Turn on the Internet Connection Wizard Auto Detect

    CCE-258

    CCE-4036-0

    CCE-4036-0

    Disable Internet Connection wizard

    CCE-769

    CCE-3825-7

    CCE-3825-7

    Disable the Reset Web Settings feature

    CCE-625

    CCE-4226-7

    CCE-4226-7

    Turn on the auto-complete feature for user names and passwords on forms

    CCE-721

    CCE-3647-5

    CCE-3647-5

    Turn off page transitions

    CCE-71

    CCE-4056-8

    CCE-4056-8

    Disable AutoComplete for forms

    CCE-478

    CCE-4246-5

    CCE-4246-5

    Disable external branding of Internet Explorer

    CCE-1051

    CCE-4237-4

    CCE-4237-4

    Password protect the screen saver

    CCE-949

    CCE-4290-3

    CCE-4500-5

    Screen Saver timeout

    CCE-830

    CCE-3050-2

    CCE-2980-1

    Prompt for password on resume from hibernate / suspend

    CCE-509

    CCE-3169-0

    CCE-4390-1

    Turn off Help Experience Improvement Program

    CCE-174

    CCE-5239-9

    (Not Applicable)

    Turn off Help Ratings

    CCE-1109

    CCE-4851-2

    (Not Applicable)

  8. Why do the Windows XP  checks for several user rights fail after I delete the SUPPORT_388945a0 account?
    The SUPPORT_388945a0 account is a special account built into Windows XP that is used for the Remote Assistance feature. The FDCC settings require the following user rights be assigned to this account: "Denied Access To This Computer From The Network", "Denied Logon As A Batch Job", and "Denied Logon Locally." If the account is deleted then there is no reason to assign these rights to it. In other cases where the the SCAP content checks to see whether an account does or does not have a specific user right a well-known security identifier (SID) is used. A SID is a numerical identifier that maps to the user-friendly name of the account. Many built-in accounts such as the Administrators group and the Guest account have the same SID on every computer running Windows, but the SUPPORT_388945a0 account is assigned a random SID during the installation of Windows XP. This means that the SCAP content checks for the literal existence of the SUPPORT_388945a0  account name in the list of accounts for each of these user rights, there is no way for the SCAP content to distinguish between the deletion of the account and renaming of the account.

  9. I scanned a NIST provided VHD with an SCAP Validated FDCC Scanner, but several patches were missing. What does this mean?
    VHD's include all patches available prior to being posted on http://fdcc.nist.gov for download. Subsequent patches released by Microsoft are included the next time the VHD is updated, which may be several months. As a result, these patches are not present on the VHD and will therefore show up as missing during the scan. This is expected behavior and does not indicate a deficiency in the product used to scan the VHD.

Top of Page

Security Content Automation Protocol

  1. What is Security Content Automation Protocol (SCAP)?
    NIST established a suite of interoperable and automatable security specifications known as the Security Content Automation Protocol (SCAP). By virtue of using XML-based standards, SCAP is simultaneously machine and human readable. The FDCC SCAP content is hosted on the National Checklist Program website; the National Vulnerability Database is being expanded to host the SCAP component standards. More information about SCAP may be found at http://scap.nist.gov/.

  2. How are the Security Content Automation Protocol (SCAP) and SCAP-validated with FDCC Scanner Capability tools relevant to FDCC?
    As part of the iterative VHD image integrity testing process, engineers ensured that both VHDs and SCAP data streams were accurately calibrated to represent and test compliance with the FDCC recommendations. Multiple SCAP    -validated with FDCC Scanner Capability tools were able to use the same SCAP data stream to validate that the FDCC settings were properly applied to the VHD. The same SCAP data stream that was used for testing compliance to the FDCC in the NIST lab can also be used to determine if newly created images are FDCC compliant.

  3. What settings cannot be verified with the current Security Content Automation Protocol (SCAP) tools?
    There are a small number of FDCC settings which cannot be verified using SCAP at this time:

  • Vista Firewall
    • IPv6 Block of Protocols 41
    • IPv6 Block of UDP 3544
  • Windows XP
    • Network access: Allow anonymous SID-Name translation
  • Windows Vista
    • Network access: Allow anonymous SID-Name translation

  1. Where can I obtain FDCC Security Content Automation Protocol (SCAP) content?
    FDCC SCAP content is available for Windows XP and Vista at: http://nvd.nist.gov/fdcc/download_fdcc.cfm. The FDCC website hosts all SCAP reference data, inclusive of profiles for the FDCC and other Windows XP and Windows Vista security configurations.

  2. What is Security Content Automation Protocol (SCAP)-validation?
    To enable the goals set forth in OMB Memorandum M-07-18, it is necessary to have security configuration scanning tools that can use official SCAP content. In response, NIST established the SCAP validation program. Implemented through the NIST National Voluntary Laboratory Accreditation Program (NVLAP), independent laboratories can be accredited to perform the testing necessary to validate that security tools can accurately parse the SCAP content required for their specific functionality. Additional details on SCAP validation are available at http://scap.nist.gov/validation/.

  3. How do I know if a Tool is Security Content Automation Protocol (SCAP)-validated?
    Tools that have achieved NIST     SCAP-validated with FDCC Scanner Capability status will be listed at http://nvd.nist.gov/scapproducts.cfm. Tools are referenced by their type (configuration scanner, vulnerability scanner, etc…), as well as by the vendor, tool name, and specific SCAP components in which the tool has achieved compliance.

  4. How can agencies perform acceptance testing of FDCC compliant software?
    OMB Memorandum M-08-22, “Guidance on the Federal Desktop Core Configuration (FDCC),” provides guidance regarding agency acceptance testing of FDCC compliant software.

  5. How can agencies ensure that their systems maintain the FDCC settings throughout the systems life cycle?
    Through the use of SCAP-validated with FDCC Scanner Capability tools and official FDCC SCAP content, agencies can routinely monitor their systems to ensure that the FDCC settings have not been altered as the result of patching, installation of new software, or human interaction. The tools compare the deployed configuration against the official SCAP FDCC content and report on any discrepancies so that corrective action can be taken (some tools may also have an automatic remediation capability, consult tool vendor). As with FDCC software acceptance testing, only SCAP-validated configuration scanning tools that are asserted by the vendor as “FDCC Scanning Capable” on the SCAP tools webpage can fully process SCAP FDCC content.

  6. How can agencies use Security Content Automation Protocol (SCAP) FDCC content to automate FISMA compliance of technical controls?
    SCAP-validated tools, which agencies use to continuously monitor FDCC settings, can output FISMA technical control compliance evidence. The OVAL and XCCDF-based SCAP content has FISMA compliance mappings embedded in it so that SCAP-validated tools can automatically generate NIST Special Publication (SP) 800-53 assessment and compliance evidence. Each low level security configuration check is mapped to the appropriate high level NIST SP 800-53 security controls.     The assessment procedures found in NIST SP 800-53A are linked, where appropriate, to the SCAP automated testing of information system mechanisms and associated security configuration settings. In addition, the FDCC SCAP content also contains mappings to other high level policies (e.g., ISO, DOD 8500, FISCAM) and SCAP tools may also output those compliance mappings. There exists additional SCAP content that can also be used by agencies to automate FISMA technical control compliance. This SCAP content is available at http://scap.nist.gov.

  7. How can agencies report their compliance to the FDCC?
    Agencies must use tools that are  SCAP-validated with FDCC Scanner Capability to scan for both FDCC configurations and configuration deviations approved by department or agency accrediting authority. Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring. See OMB Memorandum M-08-22, “Guidance on the Federal Desktop Core Configuration (FDCC)” for more details for the reporting requirements. In part, that memorandum states the following:

    1. Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report:
      1. 1. Agency has adopted and implemented FDCC standard configurations and has documented deviations. Yes or No.
      2. 2. New Federal Acquisition Regulation 2007-004 language, which modified "Part 39—Acquisition of Information Technology,” is included in all contracts related to common security settings. Yes or No.
      3. 3. All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or No.

  8. Are there currently any Security Content Automation Protocol (SCAP)-validated tools?
    A list of SCAP validated tools is available at http://nvd.nist.gov/scapproducts.cfm.

  9. Is checking FDCC settings 100% automated through Security Content Automation Protocol (SCAP)? Will manual assessment methods be required?
    SCAP automates the assessment process for all  but 4 of the FDCC settings. NIST is actively working to extend the coverage of the automated tests. However, manual methods will be needed to verify this small subset of the FDCC settings:

  • Vista Firewall
    • IPv6 Block of Protocols 41
    • IPv6 Block of UDP 3544
  • Windows XP
    • Network access: Allow anonymous SID-Name translation
  • Windows Vista
    • Network access: Allow anonymous SID-Name translation

  1. Will scans based on Security Content Automation Protocol (SCAP) checklists produce results with 100% of all checks passing?
    At present, there are no known discrepancies in the existing FDCC SCAP content. When errors are discovered NIST will actively work to improve the accuracy of the tests as represented in the SCAP data stream, and updated content will be released periodically. NIST uses JTrac to document and monitor the status of known flaws in the FDCC content..

  2. Does the FDCC SCAP content utilize WMI? Can the use of WMI cause issues?
    Some setting value checks in the SCAP content use WMI, specifically, the Resultant Set of Policies (RSOP) namespace. For example, this is the only public application programming interface (API) for  checking the value of Network access: Allow anonymous SID-Name translation. The Internet Explorer Maintenance Policy Processing and the Kerberos settings are also checked in this manner. NIST is not aware of any accuracy issues related to using WMI, however it can be slightly slower than examining examining registry other methods.

Top of Page

FDCC Deployment

  1. What are some settings that will impact system functionality that I should test before I deploy the OMB mandated FDCC Security Content Automation Protocol (SCAP) in an operational environment?
    There are a number of settings that will impact system functionality and agencies should test thoroughly before they are deployed in an operational environment.

  • Running the system as a standard user - some applications may not work properly because they require administrative access to the operating system and application directories and registry keys.
  • Minimum 12 characters password and change every 60 days - this may impact system usability and interoperability with some enterprise single sign-on password management systems.
  • Wireless service - the wireless service is disabled and this will prevent the use of Wi-Fi network interfaces that depend on the built-in wireless service.
  • The “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” setting has been a required setting for several years, even before the FDCC mandate was announced. It is known to impact browser interoperability with Web sites that do not support the FIPS 140-2 approved algorithms. This can usually be corrected by changing the Web server configuration to support FIPS 140-2 approved algorithms. Refer to this knowledgebase article. It also affects the encryption algorithm used for the Remote Desktop Protocol (RDP), RDP is the protocol used by Terminal Services, Remote Desktop, and Remote Assistance. RDP connections will fail if both computers are not configured to use the same encryption algorithm. Computers running Windows XP can be updated to the latest version of Microsoft’s RDP client in order to connect to Terminal Services servers, however, there is no update for the RDP server included with Windows XP. This means that computers running Windows XP with this setting enabled cannot support incoming Remote Desktop and Remote Assistance connections. See this knowledgebase article for more information:
  • Unsigned drivers installation behavior - drivers that are not digitally signed by Microsoft cannot be installed under Windows XP.
  • Windows Firewall - the built-in firewall may prevent other applications from communicating with some applications.
  • Additional settings - refer to this knowledgebase article for additional settings that may impact system interoperability with legacy systems. 

  1. What is the envisioned deployment method for FDCC?
    Organizations have taken a variety of approaches. Some smaller organizations may implement local configuration through batch and *.inf files, others might employ local group policy. Larger organizations could implement the FDCC security settings using Active Directory Microsoft Group Policy Objects (GPO). Approximately 98% of all FDCC settings may be implemented through GPOs. The remaining security settings must be implemented locally through *.inf, batch, or manual methods. Other enterprise management technologies can be used instead.

  2. How should I deploy the FDCC settings? With the VHDs or the GPOs?
    What works best will vary from one organization to the next. The VHDs are very useful because they already have the FDCC settings applied and you can begin testing quickly. Additionally, by keeping the original VHDs you downloaded from NIST pristine and creating copies of it for actual testing you can quickly reconstitute your test environment for each round of testing. You can also use Virtual PCs undo disks to make it easier to revert to an earlier version of your VHD. However, when you need to deploy the FDCC settings into production the VHDs won’t be very useful, as there is no documented method for creating domain-based group policies from the local configuration on these stand-alone computers.

    On the other hand, the GPOs can be copied into whatever Active Directory test domain you already have established, and when testing is complete you can use the Group Policy Management Console to backup the final GPOs. Then you can copy these backed up files into your production environment and import them into your production Active Directory domain. Some SCAP-validated tools may also be able to enforce the mandated settings, check with the tool vendors to determine the capabilities of their tools.

  3. My agency does not use Active Directory yet we have many computers to manage. How can we most easily implement the FDCC settings on stand-alone systems?
    Microsoft recently published a utility for applying the FDCC settings to stand-alone systems by modifying the local GPO. The utility is available on their FDCC Blog: Set_FDCC_LGPO: Utility to apply FDCC settings to local group policy. However, before using this approach be certain that you understand the disclaimers on that page. The tool is not officially supported by Microsoft so you may need to discuss what kind of support will be available with your Microsoft representative. Note that NIST is unable to provide support for this tool.

    You can also implement the settings by creating your own batch files or scripts. You could apply them directly to the registry and leverage utilities such as auditpol.exe on Windows Vista and netsh on both Windows Vista and Windows XP.

  4. How do I apply Microsoft GPOs to one of several different operating systems I manage through the Group Policy Management Console (GPMC)?
    As viewed through the Microsoft Group Policy Management Console (GPMC), applying GPOs to specific Windows operating systems can be accomplished using a Windows Management Instrumentation (WMI) filter (WMI filtering is only recognized on Windows Vista, Windows XP, and Windows Server 2003). More specifically, create a WMI filter that selects applicable operating systems, and link that filter to the GPO applicable for those operating systems. If computers with Windows 2000 or previous Windows operating systems are present within the enterprise, these computers must be granted exception from the group policy using the Deny Read and Deny Apply Group Policy settings. The following two sources provide additional detail:

  1. Does the FDCC Security Content Automation Protocol (SCAP) include specific USG digital certificates?
    The FDCC Security Content Automation Protocol (SCAP) includes root and intermediate CA certificates for the DoD and civilian agencies in the trusted stores for both the Windows XP and Vista VHDs.

  2. Can a standard user share files using the Microsoft file or peer-to-peer sharing protocols?
    The FDCC settings disable  the Microsoft Peer-to-Peer networking services. The Windows firewall is also configured to prevent local file sharing. If a third-party firewall is used, it is recommended that it prevents the system from sharing files on the local system.

  3. Does the FDCC Security Content Automation Protocol (SCAP) include power management specific settings?
    The FDCC Security Content Automation Protocol (SCAP) does not make any specific recommendation about the power management settings. By default, the Windows Vista utilizes the balanced power settings that will put the system to sleep in 1 hour on AC power and 15 minutes on battery power. It turns off the hard disks 20 minutes on AC power and 10 minutes on battery power. It turns off the display in 20 minutes on AC power and 5 minutes on battery power. Consult your organization's administrators to determine if these values are compliant with your agency's policies.

  4. Does the password policy apply only to local accounts?
    No, the password policy applies to both local and domain accounts.

  5. Is FDCC applicable to domain accounts (versus local)?
    Yes, FDCC is applicable to any domain configurations that manifest themselves in local FDCC settings. For instance, password length managed at the domain level manifests itself at each desktop and laptop. Therefore, password length, whether managed via domain or locally, is subject to FDCC.

  6. Does the password policy apply to Windows XP and Vista only or is it also applicable to all applications installed on the XP and Vista systems?
    On a Windows XP or Vista system, any system components, applications, or utilities that use the XP or Vista authentication mechanism, in particular the user's Windows authentication token, must comply with the FDCC password policy. This will leave out third-party applications such as Web applications and client applications that use a separate security token for authentication.
    For example, my Windows authentication token allows me to gain logical access to my desktop, email account, calendaring software, etc. It will comply with the FDCC password policy. I use a distinct authentication token to run a Web application to connect to a travel management system, an enterprise application, or a Federal employee benefits or retirement system. In these cases, my authentication token will comply with the policy instituted on the specific server and services that I am trying to use.

  7. Must my administrator account be renamed to "Renamed_Admin"?
    No, alternate names are fine. In fact, we suggest you discard "Renamed_Admin" and use something unique.

  8. One of the FDCC settings does not allow the installation of unsigned device drivers. In order to be compliant, do we need to remove unsigned device drivers that are already installed on a general purpose computing devices?
    Strictly speaking, yes, you need to remove unsigned device drivers to be compliant on general purpose computing devices. That said, it is understood that certain unsigned device drivers may be critical to business/mission IT. Any unsigned device drivers that are critical to your operation must be annotated as business/mission critical deviations.

  9. FDCC settings prohibit wireless. Are there any conditions under which wireless is allowed? Airport? Hotel? We have implemented wireless within our enterprise. Do I really need to disable wireless? What if I am using a third-party wireless client?
    The FDCC wireless setting specifies that all wireless interfaces should be disabled. The intention of the recommendation is not to prevent or prohibit wireless use, but to reduce the exposure of wireless-equipped devices accidentally connecting to insecure (e.g., unencrypted) and unauthorized wireless access points and end-users purposefully connecting to insecure and unauthorized wireless access points. Wireless configuration for authorized enterprise wireless networks should be documented and reflected in the organization's FDCC deviation report. Third-party wireless clients still utilize the wireless interface of the Windows XP or Vista operating system. Therefore, they are subject to the logic above.

  10. Does the system need to have IE7 installed to be FDCC compliant?
    While settings for other browsers were not tested, Federal organizations are free to use other Web browser software instead of or in addition to Internet Explorer 7.0 (IE7). If agencies are using Internet Explorer, NIST recommends that they use IE7. When using other browsers agencies must extrapolate the FDCC settings for IE7 to their chosen browser whenever possible.

  11. FDCC settings prohibit escalated privileges from being granted to ordinary end-users. What is considered an escalated privilege?
    Any privilege that is not a default user right in XP or Vista is considered under the FDCC as an escalated privilege. The security inherent in FDCC relies partly on the fact that typical users are only assigned standard user rights. Assigning any additional rights to typical users or user groups circumvents this layer of security by allowing users to run with escalated privileges. Assigning "Administrative" or "Power User" roles are two examples of escalating the privileges of the user.

  12. Why do the FDCC settings restrict the use of some IPv6 technologies?
    The FDCC settings do not preclude the use of IPv6, merely the transitional technologies such as ISATAP and Teredo. These technologies are disabled so that they are not used as a communication channel that bypasses other network controls such as firewalls and IPsec.

Top of Page

Please send comments if your questions were not answered here.

Top of Page
 

Disclaimer
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

Last updated: >June 26, 2009->e -->
Page created: July 22, 2007
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to itsec@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration