Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Federal Desktop Core Configuration and Sandia National Labs Stan Hall Cyber Technology Development NLIT 2009

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL What is the Federal Desktop Core Configuration (FDCC)? (Blah, Blah) The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating system software. While not addressed specifically as the "Federal Desktop Core Configuration," the FDCC was originally called for in a 22 March 2007 memorandum from OMB to all Federal agencies and department heads and a corresponding memorandum from OMB to all Federal agency and department Chief Information Officers (CIO). Directly from:

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL How we (Sandia) started We started with a test organizational Unit (OU) in the internal Active Directory (AD) domain. We placed all the FDCC policies on the OU and put some test systems in to see the effects. The result was a bad experience as much did not work with the systems. We then pulled back setting after setting till we had a system that was functional again and determined what needed to be done for each setting that caused conflicts.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Vista Status Vista FDCC policies are currently running at about 93% compliant (not counting requested variances). Variances requested are: Account Policies (age, length, lockout), FIPS 140 Encryption, Remote Desktop, Remote Assist, Smart Card removal behavior, Terminal Server session timeout and Wireless configuration wizard’s, Administrative Rights, sharing of files and printers, Root certificate updates and screen saver

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Next Steps Our Vista deployment was delayed so we needed to start looking at XP. We started with the base settings from the Vista configuration and tested them in a controlled rollout. As conflicts were identified we made a note and requested a variance.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL XP Status XP FDCC policies are currently running at about 80% compliant (not counting requested variances). Variances requested are: Account Policies (age, length, lockout), FIPS 140 Encryption, Remote Desktop, Remote Assist, Smart Card removal behavior, Terminal Server session timeout and Wireless configuration wizard’s, Administrative Rights, sharing of files and printers, Root certificate updates and screen saver

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Variances in Detail Account Policies (age, length, lockout) – Using DOE approved policy FIPS 140 Encryption- Conflicted with Oracle middleware Remote Desktop and Remote Assist - Help Desk Smart Card removal behavior-Prevented logging into more then one system at a time. Terminal Server session timeout – Affects Remote Desktop sessions. IE Security Zones: Use Only Machine Settings - Not set to enable viewing of sites that have been added to a zone.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Variances in Detail (Continued) Wireless configuration wizards – Makes it easier for help desk troubleshooting (Standard Menus). Administrative Rights – Not all provisions are in place for admin rights removal. Sharing of files and printers – Users share between desktop and laptop. Root certificate updates – We are not staffed to publish trusted certificates in to the store. Left the automatic system in place Screen saver – Has an effect on setting a system into presentation mode.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Additional Information Security Zones: Do not allow users to add/delete sites - We created an application to enable users to add Web Site addresses to the Trusted and Intranet zones. We were considering requesting a variance to this policy, but to enable this required many other variances then initially thought. Microsoft network client: Digitally sign communications (always)- This will have an effect on connecting to Samba servers that are not running at least version a or newer. These settings are also not enabled on Server 2000 or NT by default and will need to be enabled for clients to access shares on those systems.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Additional Information (Continued) Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (Require NTLMv2 Session Security)- Will break connectivity to Samba servers that are not members of the Active directory domain and using Active Directory Service security (Security = ADS) If you are using GPO’s have separate GPO’s for Vista and XP and use that platform to make modifications to it’s related GPO. Never mix the two. Vista has a new feature called Point and Print restrictions that can be found under User Configuration > Administrative Templates > Control Panel > Printers This can be used to define printers the users can install without needing administrative rights.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Additional Information (Continued) Try to consolidate GPO’s after testing. The more GPO’s you use, the longer it takes to process. Even if you only have a few setting in the GPO. Disable User section or Computer section of the GPO if not used in that GPO. For Additional information on Sandia’s Vista deployment, please see Roman Selever’s presentation Tomorrow at 11:00 in the James Polk room.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Questions to the group Are you deploying the FDCC or making plans to? Where are you at with the FDCC? Are you locking down IE? Are you using any Security Content Automation Protocol (SCAP) reporting tools (If yes, name)? Who is your POC for the FDCC? What this information useful?

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL Questions? Stan Hall (505)