1.

What is the Federal Desktop Core Configuration (FDCC)?

The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating system software. While not addressed specifically as the "Federal Desktop Core Configuration," the FDCC was originally called for in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a corresponding memorandum from OMB to all Federal agency and department Chief Information Officers (CIO).

2.

What operating systems have FDCC settings?

Currently, FDCC settings exist for Microsoft Windows XP Professional (Service Pack 2) and Microsoft Windows Vista Enterprise.

3.

Where can I obtain security configuration information for operating systems other than Windows XP and Windows Vista?

In general, NIST suggests that Federal agencies use the NIST Special Publication (SP) guide if one exists for a specific operating system version. If such a guide is not available, Federal agencies should browse the NIST Checklists repository (checklists.nist.gov) to select a government-developed guide (such as from Defense Information Systems Agency or National Security Agency) or a vendor's guide that could be used as a baseline. When such security configuration guides do not exist, Federal agencies may select guides from other trusted third parties. Regardless which guide is selected, Federal agencies should document how their deployed information technology products are secured or deviate from the recommended checklists.

4.

How was the FDCC created?

The Windows Vista FDCC is based on DoD customization of the Microsoft Security Guides for both Windows Vista and Internet Explorer 7.0. Microsoft's Vista Security Guide was produced through a collaborative effort with DISA, NSA, and NIST. The guide reflects the consensus recommended settings from DISA, NSA, and NIST for the Windows Vista platform.
The Windows XP FDCC is based on Air Force customization of the Specialized Security-Limited Functionality (SSLF) recommendations in NIST SP 800-68 and DoD customization of the recommendations in Microsoft's Security Guide for Internet Explorer 7.0.

5.

Is NIST endorsing or mandating the use of the Windows XP or Windows Vista operating systems or requiring each setting be applied as stated?

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows XP or Vista operating systems, nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software for which NIST has not developed a publication, security configuration checklist, or virtual testing environment.

6.

Is NIST working exclusively with Microsoft on baseline security settings?

No. NIST is currently working with a number of IT vendors on standardizing security settings for a wide variety of IT products and environments. NIST does this through the NIST Security Configuration Checklists Program for IT Products. The NIST process for creating, vetting, and making security checklists available for public use is documented in NIST SP 800-70 - Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers. If IT vendors would like to standardize additional security settings with NIST, please contact checklists@nist.gov.

1.

What was the objective of the recent NIST test effort?

In support of OMB and Federal organizations, NIST with support from NSA, DISA, Microsoft, and third-party tool vendors has performed extensive laboratory testing to verify adherence of Virtual Hard Disk (VHD) files to the written FDCC policy.

2.

What version of Microsoft Internet Explorer was tested?

Internet Explorer 7.0 was tested.

3.

What if I use a browser other than Internet Explorer 7.0?

While settings for other browsers were not tested, Federal organizations are free to use other Web browser software instead of or in addition to Internet Explorer 7.0. If agencies are using Internet Explorer, NIST recommends that they use Internet Explorer 7.0.

4.

Were any Microsoft Office security configurations of the FDCC tested?

Microsoft Office is not installed on the VHDs nor are Microsoft Office settings included in GPOs. The Microsoft Office security recommendations are represented in the FDCC documentation. They are provided for public comment before laboratory testing. Microsoft Office settings will undergo review and testing after publication of the Microsoft Office 2007 Security Guide.

5.

To comply with the FDCC, are Federal organizations required to use the Microsoft Windows Firewall?

No. The FDCC baseline recommends the use of a personal firewall and includes the Microsoft Windows Firewall settings, because it is enabled with the operating system installation. However, Federal organizations are free to use other desktop firewall software instead of the Microsoft Windows Firewall.

6.

Is Microsoft Defender and/or other malware scanning software included in the FDCC settings?

Yes. Microsoft Defender is installed on FDCC VHDs; however, there is currently no configuration guidance for this product other than the default settings provided by Microsoft. As is the case with the Microsoft Windows Firewall, NIST recommends the use of malware scanning utilities, but does not recommend any particular vendor's product.

1.

What are Virtual PCs (VPC), and what is the difference between a VPC and a Virtual Hard Disk (VHD)?

Virtual PC (VPC) is a Microsoft product that allows users to run a virtual instance of an operating system (aka Virtual Hard Disk) within an already running instance of an operating system (aka non-virtual OS). The Virtual Hard Disk (VHD) can utilize the hardware of the computer (e.g., hard drive, Ethernet card, USB ports) in the same way the non-virtual OS does. From the non-virtual OS, the VHD appears as a single, large *.vhd file.

2.

Why are VHDs beneficial?

VHDs are very useful for both laboratory and deployment testing. While software can be installed on a VHD in the same way software is installed on normal operating systems, VHDs can be discarded and reimplemented very quickly for the purposes of ensuring a pristine testing environment or if something malfunctioned with the previous VHD. Additionally, multiple VHDs can be run over a single physical platform to achieve cost savings.

3.

When will VHDs expire, and how often will they be updated?

According to Microsoft licensing, VHD licenses expire after 120 days. FDCC test VHDs will be published quarterly and can be found at:
http://csrc.nist.gov/fdcc/download_fdcc.html

4.

What can be downloaded from the FDCC technical site?

The FDCC technical Web site contains Windows Vista and Windows XP FDCC policy documentation, VHD files, Group Policy Object (GPO) files, and SCAP content files.

5.

Can I use the VHDs, GPOs, .inf, and SCAP content in an operational environment?

It is recommended that VHDs, GPOs, .inf, and SCAP content be used in a test and evaluation environment. After careful testing, an organization may decide to use the GPO, .inf, and/or SCAP content in the production environment. VHDs are provided for laboratory testing purposes only and are not to be used as a deployment image.

6.

What are the accounts and passwords that I can use to log on to the FDCC test VPCs?

Windows Vista - FDCC_Admin and P@ssw0rd123456
Windows XP - Renamed_Admin and P@ssw0rd123456

7.

How do I use the VHDs?

NIST suggests you first make a backup copy of the downloaded VHD files. Then install the Virtual PC software as obtained from Microsoft (http://www.microsoft.com/windows/downloads/virtualpc/default.mspx). Next, run the New Virtual Machine wizard to create a new VPC that will use the downloaded VHD file.

8.

What should I consider before I run the VHDs?

NIST recommends that you install and configure antivirus software and set the VPC networking setting to "Local only" or "Not Connected."

9.

Who produces the VHDs?

At the request of OMB, Microsoft produces the VHDs with input from many departments and agencies including DHS, DISA, OMB, NIST, NSA, and USAF.

1.

What is SCAP?

NIST recently established a suite of interoperable and automatable security standards known as the Security Content Automation Protocol (SCAP). By virtue of using XML-based standards, SCAP is simultaneously machine and human readable. Specifically, the National Vulnerability Database is being expanded to host SCAP reference data. More information about SCAP may be found at http://nvd.nist.gov/scap.cfm.

2.

How are the SCAP and SCAP-capable tools relevant to FDCC?

As part of the iterative VHD image integrity testing process, engineers ensured that both VHDs and SCAP data streams were accurately calibrated to represent and test compliance with the FDCC recommendations. Multiple SCAP-capable tools were able to use the same SCAP data stream to validate that the FDCC settings were properly applied to the VHD. The same SCAP data stream that was used for testing compliance to the FDCC in the NIST lab can also be used to determine if newly created images are FDCC compliant.

3.

What settings cannot be verified with the current SCAP tools?

There are a small number of FDCC settings which cannot be verified using SCAP at this time. These settings have been documented in this SCAP documentation.

4.

Where can I obtain FDCC SCAP content?

FDCC SCAP content is available for Windows XP and Vista at:
http://csrc.nist.gov/fdcc/download_fdcc.html.
The National Vulnerability Database (NVD) hosts all SCAP reference data, inclusive of profiles for the FDCC and other Windows XP and Windows Vista security configurations.

5.

What is SCAP Compliance?

To enable the goals set forth in OMB Memorandum M-07-18, it is necessary to have security configuration scanning tools that can use official SCAP content. In response, NIST is establishing the SCAP Compliance effort. Implemented through the NIST National Voluntary Laboratory Accreditation Program (NVLAP), independent laboratories can be accredited to perform the testing necessary to validate that security tools can accurately parse the SCAP content required for their specific functionality. Additional details on SCAP compliance are available at http://nvd.nist.gov/scap.cfm.

6.

How do I know if a Tool is SCAP Compliant?

Tools that have achieved NIST SCAP Compliance will be listed at http://nvd.nist.gov/tools.cfm. Since the SCAP compliance effort is in the process of being established, NIST is allowing vendors to temporarily self-assert their compliance and listing them on this page. Tools are referenced by their type (configuration scanner, vulnerability scanner, etc…), as well as by the vendor, tool name, and specific SCAP components in which the tool has achieved compliance.

7.

How can agencies perform acceptance testing of FDCC compliant software ?

A recent OMB Memorandum provides guidance regarding agency acceptance testing of FDCC compliant software. The link will be posted soon.

8.

How can agencies ensure that their systems maintain the FDCC settings throughout the systems life cycle?

Through the use of SCAP compliant tools and official FDCC SCAP content, agencies can routinely monitor their systems to ensure that the FDCC settings have not been altered as the result of patching, installation of new software, or human interaction. The tools compare the deployed configuration against the official SCAP FDCC content and report on any discrepancies so that corrective action can be taken (some tools also have an automatic remediation capability). As with FDCC software acceptance testing, only SCAP compliant configuration scanning tools that are asserted by the vendor as “FDCC Scanning Capable” on the SCAP tools webpage (http://nvd.nist.gov/tools.cfm) can fully process SCAP FDCC content.

9.

How can agencies use SCAP FDCC content to automate FISMA compliance of technical controls?

SCAP tools, which agencies use to continuously monitor FDCC settings, can output FISMA technical control compliance evidence. The FDCC SCAP content has FISMA compliance mappings embedded in it so that SCAP-compatible tools can automatically generate NIST Special Publication (SP) 800-53 assessment and compliance evidence. Each low level security configuration check is mapped to the appropriate high level NIST SP 800-53 security controls. As draft NIST SP 800-53A progresses towards final publication, there will be a direct linkage, where appropriate, of the assessment procedures found in NIST SP 800-53A to the SCAP automated testing of information system mechanisms and associated security configuration settings. In addition, the FDCC SCAP content also contains mappings to other high level policies (e.g., ISO, DOD 8500, FISCAM) and SCAP tools may also output those compliance mappings. There exists additional SCAP content that can also be used by agencies to automate FISMA technical control compliance. This SCAP content is available at http://nvd.nist.gov/scapchecklists.cfm.

10.

How can agencies report their compliance to the FDCC?

(Until SCAP compliant tools become available, agencies must self-assert that their systems are FDCC compliant see OMB Memorandum M-07-18 for additional information). As an integral part of the continuous monitoring of systems configured to FDCC, agencies can report their testing results to NIST. To ensure both the accuracy and consistency of these results, agencies can use the standardized SCAP XML reporting format. Use of this format will enable NIST to efficiently collect and organize the results for analysis and trending over time. NIST will aggregate the results from all agencies, and will not generally provide direct feedback to each individual agency concerning their results. NIST is in the process of implementing a SCAP compliance effort that will test security tools for their ability to output results in the standardized SCAP XML format. Additional reporting details will be forthcoming.

1.

What are some settings that will impact system functionality that I should test before I deploy the OMB mandated FDCC baseline in an operational environment?

There are a number of settings that will impact system functionality and agencies should test thoroughly before they are deployed in an operational environment.

• Running the system as a standard user - some applications may not work properly because they require administrative access to the operating system and application directories and registry keys.
• Minimum 12 characters password and change every 60 days - this may impact system usability and interoperability with some enterprise single sign-on password management systems.
• Wireless service - the wireless service is disabled and this will prevent the use of Wi-Fi network interfaces that depend on the built-in wireless service.
• FIPS 140-2 setting - impacts browser interoperability with Web sites that do not support the FIPS 140-2 approved algorithms. This can usually be corrected by changing the Web server configuration to support FIPS 140-2 approved algorithms. Refer to the following knowledge base article.
  http://support.microsoft.com/kb/811833
• Unsigned drivers installation behavior - drivers that are not digitally signed by Microsoft cannot be installed under Windows XP.
• Windows Firewall - the built-in firewall may prevent other applications from communicating with some applications.
• Additional settings - refer to the following knowledge base article for additional settings that may impact system interoperability with legacy systems.
  http://support.microsoft.com/kb/885409

2.

What is the envisioned deployment method for FDCC?

While smaller organizations may implement local configuration through batch and *.inf files, the recommended method is to implement the majority of FDCC security settings using group policies as managed with Microsoft Group Policy Objects (GPO). Approximately 98% of all FDCC settings may be implemented through GPOs. The remaining security settings must be implemented locally through *.inf, batch, or manual methods.

3.

How do I apply Microsoft GPOs to one of several different operating systems I manage through the Group Policy Management Console (GPMC)?

As viewed through the Microsoft Group Policy Management Console (GPMC), applying GPOs to specific Windows operating systems can be accomplished using a Windows Management Instrumentation (WMI) filter (WMI filtering is only recognized on Windows Vista, Windows XP, and Windows Server 2003). More specifically, create a WMI filter that selects applicable operating systems, and link that filter to the GPO applicable for those operating systems. If computers with Windows 2000 or previous Windows operating systems are present within the enterprise, these computers must be granted exception from the group policy using the Deny Read and Deny Apply Group Policy settings. The following two sources provide additional detail:

• Microsoft's Windows Vista Security Guide for setting up a managed workstation at http://nvd.nist.gov/chklst_detail.cfm?config_id=88 and
• Microsoft's KB article about WMI filter support.microsoft.com/kb/555253.
• Microsoft's resources about GPMC:
  Administering Group Policy - http://go.microsoft.com/fwlink/?LinkId=14320.
  Enterprise Management with GPMC - http://www.microsoft.com/windowsserver2003/gpmc/default.mspx.
  Migrating GPOs Across Domains with GPMC - http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx
  Step-by-step Guide to Understanding the Group Policy Feature Set -
  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
  technologies/directory/activedirectory/stepbystep/gpfeat.mspx.

4.

Does the FDCC baseline include specific USG digital
certificates?

The FDCC baseline includes root and intermediate CA certificates for the DoD and civilian agencies in the trusted stores for both the Windows XP and Vista VHDs.

5.

Can standard user share file using the Microsoft file or peer-to-peer sharing protocols?

The FDCC baseline disables the Microsoft file and printer sharing feature and the Microsoft Peer-to-Peer networking services. The Windows firewall is also configured to prevent local file sharing. If a third-party firewall is used, it is recommended that it prevents the system from sharing files on the local system.

6.

Does the FDCC baseline include power management specific settings?

The FDCC baseline does not make any specific recommendation about the power management settings. By default, the Windows Vista utilizes the balanced power settings that will put the system to sleep in 1 hour on AC power and 15 minutes on battery power. It turns off the hard disks 20 minutes on AC power and 10 minutes on battery power. It turns off the display in 20 minutes on AC power and 5 minutes on battery power.