1 / 14

FDCC Implementation Efforts at Idaho National Laboratory

FDCC Implementation Efforts at Idaho National Laboratory . Justin Hansen. NLIT 2009. Overview. What is FDCC and where did it come from? Review process for the FDCC policy settings Specific implementation steps Dealing with some of the “Gotchas” Ongoing work Other information resources.

myrilla
Download Presentation

FDCC Implementation Efforts at Idaho National Laboratory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009

  2. Overview • What is FDCC and where did it come from? • Review process for the FDCC policy settings • Specific implementation steps • Dealing with some of the “Gotchas” • Ongoing work • Other information resources

  3. INL’s IT By The Numbers • 12,000 IT Devices owned by INL • 9,000 Devices on the Network • 5,500 Desktop & Laptop Computers • OS’s (~85% Windows, 9% Mac’s, 6% Linux) • Dell Shop (95% Windows Based Computers are Dells) • Office Desktops – Dell Optiplex • Laptops – Dell Latitudes • Engineering Workstations – Dell Precisions

  4. What Is FDCC And Where Did It Come From? • FDCC: Federal Desktop Core Configuration • Office of Management and Budget (OMB) March, 2007 • Windows XP FDCC was based on Air Force customizations to the settings of NIST 800-68 checklist • Used the “Specialized Security Limited Functionality” settings (SSLF) • Windows Vista and IE 7 FDCC was based on DoD customizations of the Microsoft Security Guides • Recommendations have been developed for Windows Vista, Windows XP and Internet Explorer

  5. NIST Provided Resources For FDCC • Ready made Group Policy Objects • Microsoft Virtual PC “VHDs” for testing • Security Templates for Microsoft Security Configuration and Analysis Tool • Security Content Automation Protocol (SCAP) definition and content • NIST Windows Security Baseline Database • Set_FDCC_LGPO.exe (Microsoft – http://blogs.technet.com/fdcc)

  6. INL Review Process • Compared currently implemented Minimum Security Configurations to FDCC • Categorized FDCC “Gap” settings by impact and risk • Evaluated required enterprise changes for “medium” and “high” impact settings • Example: “Digitally sign communications (always)” • Focused on “high” risk and “low” impact settings • Spreadsheet developed to help evaluate these factors

  7. Sample Evaluation Spreadsheet

  8. Implementation Specifics • Settings were deployed using domain Group Policies • Initial FDCC Group Policy was equivalent to existing security settings • Incorporated settings with “low” impact first • Testing and phased rollouts of “medium” impact settings • Continually working on making necessary changes to accommodate “high” impact and “high” risk settings • Implemented by small team over a 3 month period

  9. Dealing With Some Of The “Gotchas” • Least User Privileges / Access (LUA) • INL had implemented LUA principles previous to FDCC • BeyondTrust Privilege Manager • Upgraded to latest version • Renewed focus on generating new rules • Exceptions and Deviations • Example: Need for Local Printer Shares • Group Policy application by groups in addition to OU • Internally developed program to control Group Policy application

  10. Active Directory Interface

  11. History Log

  12. Ongoing Work • Continue to evaluate / test / implement “Gap” settings • Incorporation of SCAP scanning tools into existing vulnerability scans • Refine and enhance process for exceptions and variances • Revisit previous exceptions and develop appropriate single variance policies • Reduce / Eliminate the number of “exempted” systems • Extend the FDCC strategy to Non-Windows systems and Servers

  13. Questions Contact Info Justin Hansen (208) 526-6584 Justin.Hansen@inl.gov

More Related