FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009.

FDCC Implementation Efforts at Idaho National Laboratory

Justin Hansen

NLIT 2009

Overview

• What is FDCC and where did it come from?

• Review process for the FDCC policy settings

• Specific implementation steps

• Dealing with some of the “Gotchas”

• Ongoing work

• Other information resources

INL’s IT By The Numbers

• 12,000 IT Devices owned by INL

• 9,000 Devices on the Network

• 5,500 Desktop & Laptop Computers

• OS’s (~85% Windows, 9% Mac’s, 6% Linux)

• Dell Shop (95% Windows Based Computers are Dells)• Office Desktops – Dell Optiplex

• Laptops – Dell Latitudes

• Engineering Workstations – Dell Precisions

What Is FDCC And Where Did It Come From?

• FDCC: Federal Desktop Core Configuration

• Office of Management and Budget (OMB) March, 2007

• Windows XP FDCC was based on Air Force customizations to the settings of NIST 800-68 checklist

– Used the “Specialized Security Limited Functionality” settings (SSLF)

• Windows Vista and IE 7 FDCC was based on DoD customizations of the Microsoft Security Guides

• Recommendations have been developed for Windows Vista, Windows XP and Internet Explorer

NIST Provided Resources For FDCC

• Ready made Group Policy Objects

• Microsoft Virtual PC “VHDs” for testing

• Security Templates for Microsoft Security Configuration and Analysis Tool

• Security Content Automation Protocol (SCAP) definition and content

• NIST Windows Security Baseline Database• Set_FDCC_LGPO.exe (Microsoft – http://blogs.technet.com/fdcc)

INL Review Process

• Compared currently implemented Minimum Security Configurations to FDCC

• Categorized FDCC “Gap” settings by impact and risk

• Evaluated required enterprise changes for “medium” and “high” impact settings– Example: “Digitally sign communications (always)”

• Focused on “high” risk and “low” impact settings

• Spreadsheet developed to help evaluate these factors

Sample Evaluation Spreadsheet

Implementation Specifics

• Settings were deployed using domain Group Policies

• Initial FDCC Group Policy was equivalent to existing security settings

• Incorporated settings with “low” impact first

• Testing and phased rollouts of “medium” impact settings

• Continually working on making necessary changes to accommodate “high” impact and “high” risk settings

• Implemented by small team over a 3 month period

Dealing With Some Of The “Gotchas”

• Least User Privileges / Access (LUA)– INL had implemented LUA principles previous to FDCC

– BeyondTrust Privilege Manager

• Upgraded to latest version

• Renewed focus on generating new rules

• Exceptions and Deviations– Example: Need for Local Printer Shares

– Group Policy application by groups in addition to OU

• Internally developed program to control Group Policy application

Active Directory Interface

History Log

Ongoing Work

• Continue to evaluate / test / implement “Gap” settings

• Incorporation of SCAP scanning tools into existing vulnerability scans

• Refine and enhance process for exceptions and variances

• Revisit previous exceptions and develop appropriate single variance policies

• Reduce / Eliminate the number of “exempted” systems

• Extend the FDCC strategy to Non-Windows systems and Servers

Questions

Contact InfoJustin Hansen

(208) 526-6584

[email protected]