slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Federal Desktop Core Configuration and Sandia National Labs PowerPoint Presentation
Download Presentation
Federal Desktop Core Configuration and Sandia National Labs

Loading in 2 Seconds...

play fullscreen
1 / 13

Federal Desktop Core Configuration and Sandia National Labs - PowerPoint PPT Presentation


  • 169 Views
  • Uploaded on

NLIT 2009. Federal Desktop Core Configuration and Sandia National Labs. Stan Hall Cyber Technology Development.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Federal Desktop Core Configuration and Sandia National Labs' - cira


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

NLIT 2009

Federal Desktop Core ConfigurationandSandia National Labs

Stan Hall

Cyber Technology Development

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide2

What is the Federal Desktop Core

Configuration (FDCC)? (Blah, Blah)

  •  The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating system software. While not addressed specifically as the "Federal Desktop Core Configuration," the FDCC was originally called for in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a corresponding memorandum from OMB to all Federal agency and department Chief Information Officers (CIO).
  • Directly from: http://csrc.nist.gov/fdcc/fdcc_faqs_20070731.html

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide3

How we (Sandia) started

We started with a test organizational Unit (OU) in the internal Active Directory (AD) domain.

We placed all the FDCC policies on the OU and put some test systems in to see the effects.

The result was a bad experience as much did not work with the systems.

We then pulled back setting after setting till we had a system that was functional again and determined what needed to be done for each setting that caused conflicts.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide4

Vista Status

  •  Vista FDCC policies are currently running at about 93% compliant (not counting requested variances).
  • Variances requested are:
      • Account Policies (age, length, lockout), FIPS 140 Encryption, Remote Desktop, Remote Assist, Smart Card removal behavior, Terminal Server session timeout and Wireless configuration wizard’s, Administrative Rights, sharing of files and printers, Root certificate updates and screen saver

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide5

Next Steps

Our Vista deployment was delayed so we needed to start looking at XP.

We started with the base settings from the Vista configuration and tested them in a controlled rollout.

As conflicts were identified we made a note and requested a variance.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide6

XP Status

  • XP FDCC policies are currently running at about 80% compliant (not counting requested variances).
  • Variances requested are:
      • Account Policies (age, length, lockout), FIPS 140 Encryption, Remote Desktop, Remote Assist, Smart Card removal behavior, Terminal Server session timeout and Wireless configuration wizard’s, Administrative Rights, sharing of files and printers, Root certificate updates and screen saver

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide7

Variances in Detail

  • Account Policies (age, length, lockout) – Using DOE approved policy
  • FIPS 140 Encryption- Conflicted with Oracle middleware
  • Remote Desktop and Remote Assist - Help Desk
  • Smart Card removal behavior-Prevented logging into more then one system at a time.
  • Terminal Server session timeout – Affects Remote Desktop sessions.
  • IE Security Zones: Use Only Machine Settings - Not set to enable viewing of sites that have been added to a zone.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide8

Variances in Detail (Continued)

  • Wireless configuration wizards – Makes it easier for help desk troubleshooting (Standard Menus).
  • Administrative Rights – Not all provisions are in place for admin rights removal.
  • Sharing of files and printers – Users share between desktop and laptop.
  • Root certificate updates – We are not staffed to publish trusted certificates in to the store. Left the automatic system in place
  • Screen saver – Has an effect on setting a system into presentation mode.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide9

Additional Information

Security Zones: Do not allow users to add/delete sites -

We created an application to enable users to add Web Site addresses to the Trusted and Intranet zones. We were considering requesting a variance to this policy, but to enable this required many other variances then initially thought.

Microsoft network client: Digitally sign communications (always)-

This will have an effect on connecting to Samba servers that are not running at least version 3.0.28a or newer.

These settings are also not enabled on Server 2000 or NT by default and will need to be enabled for clients to access shares on those systems.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide10

Additional Information (Continued)

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (Require NTLMv2 Session Security)-

Will break connectivity to Samba servers that are not members of the Active directory domain and using Active Directory Service security (Security = ADS)

If you are using GPO’s have separate GPO’s for Vista and XP and use that platform to make modifications to it’s related GPO. Never mix the two.

Vista has a new feature called Point and Print restrictions that can be found under User Configuration > Administrative Templates > Control Panel > Printers

This can be used to define printers the users can install without needing administrative rights.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide11

Additional Information (Continued)

Try to consolidate GPO’s after testing. The more GPO’s you use, the longer it takes to process. Even if you only have a few setting in the GPO.

Disable User section or Computer section of the GPO if not used in that GPO.

For Additional information on Sandia’s Vista deployment, please see Roman Selever’s presentation Tomorrow at 11:00 in the James Polk room.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide12

Questions to the group

  • Are you deploying the FDCC or making plans to?
  • Where are you at with the FDCC?
  • Are you locking down IE?
  • Are you using any Security Content Automation Protocol (SCAP) reporting tools (If yes, name)?
  • Who is your POC for the FDCC?
  • What this information useful?

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

slide13

Questions?

?

  • Stan Hall
  • cshall@sandia.gov
  • (505) 284-4333

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.