Loading in 2 Seconds...
Loading in 2 Seconds...
FDCC Implementation Efforts at Idaho National Laboratory . Justin Hansen. NLIT 2009. Overview. What is FDCC and where did it come from? Review process for the FDCC policy settings Specific implementation steps Dealing with some of the “Gotchas” Ongoing work Other information resources.
FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009
Overview • What is FDCC and where did it come from? • Review process for the FDCC policy settings • Specific implementation steps • Dealing with some of the “Gotchas” • Ongoing work • Other information resources
INL’s IT By The Numbers • 12,000 IT Devices owned by INL • 9,000 Devices on the Network • 5,500 Desktop & Laptop Computers • OS’s (~85% Windows, 9% Mac’s, 6% Linux) • Dell Shop (95% Windows Based Computers are Dells) • Office Desktops – Dell Optiplex • Laptops – Dell Latitudes • Engineering Workstations – Dell Precisions
What Is FDCC And Where Did It Come From? • FDCC: Federal Desktop Core Configuration • Office of Management and Budget (OMB) March, 2007 • Windows XP FDCC was based on Air Force customizations to the settings of NIST 800-68 checklist • Used the “Specialized Security Limited Functionality” settings (SSLF) • Windows Vista and IE 7 FDCC was based on DoD customizations of the Microsoft Security Guides • Recommendations have been developed for Windows Vista, Windows XP and Internet Explorer
NIST Provided Resources For FDCC • Ready made Group Policy Objects • Microsoft Virtual PC “VHDs” for testing • Security Templates for Microsoft Security Configuration and Analysis Tool • Security Content Automation Protocol (SCAP) definition and content • NIST Windows Security Baseline Database • Set_FDCC_LGPO.exe (Microsoft – http://blogs.technet.com/fdcc)
INL Review Process • Compared currently implemented Minimum Security Configurations to FDCC • Categorized FDCC “Gap” settings by impact and risk • Evaluated required enterprise changes for “medium” and “high” impact settings • Example: “Digitally sign communications (always)” • Focused on “high” risk and “low” impact settings • Spreadsheet developed to help evaluate these factors
Implementation Specifics • Settings were deployed using domain Group Policies • Initial FDCC Group Policy was equivalent to existing security settings • Incorporated settings with “low” impact first • Testing and phased rollouts of “medium” impact settings • Continually working on making necessary changes to accommodate “high” impact and “high” risk settings • Implemented by small team over a 3 month period
Dealing With Some Of The “Gotchas” • Least User Privileges / Access (LUA) • INL had implemented LUA principles previous to FDCC • BeyondTrust Privilege Manager • Upgraded to latest version • Renewed focus on generating new rules • Exceptions and Deviations • Example: Need for Local Printer Shares • Group Policy application by groups in addition to OU • Internally developed program to control Group Policy application
Ongoing Work • Continue to evaluate / test / implement “Gap” settings • Incorporation of SCAP scanning tools into existing vulnerability scans • Refine and enhance process for exceptions and variances • Revisit previous exceptions and develop appropriate single variance policies • Reduce / Eliminate the number of “exempted” systems • Extend the FDCC strategy to Non-Windows systems and Servers
Questions Contact Info Justin Hansen (208) 526-6584 Justin.Hansen@inl.gov