Download presentation
Presentation is loading. Please wait.
Published byNeal Halls Modified over 9 years ago
1
FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009
2
Overview What is FDCC and where did it come from? Review process for the FDCC policy settings Specific implementation steps Dealing with some of the “Gotchas” Ongoing work Other information resources
3
INL’s IT By The Numbers 12,000 IT Devices owned by INL 9,000 Devices on the Network 5,500 Desktop & Laptop Computers OS’s (~85% Windows, 9% Mac’s, 6% Linux) Dell Shop (95% Windows Based Computers are Dells) Office Desktops – Dell Optiplex Laptops – Dell Latitudes Engineering Workstations – Dell Precisions
4
What Is FDCC And Where Did It Come From? FDCC: Federal Desktop Core Configuration Office of Management and Budget (OMB) March, 2007 Windows XP FDCC was based on Air Force customizations to the settings of NIST 800-68 checklist – Used the “Specialized Security Limited Functionality” settings (SSLF) Windows Vista and IE 7 FDCC was based on DoD customizations of the Microsoft Security Guides Recommendations have been developed for Windows Vista, Windows XP and Internet Explorer
5
NIST Provided Resources For FDCC Ready made Group Policy Objects Microsoft Virtual PC “VHDs” for testing Security Templates for Microsoft Security Configuration and Analysis Tool Security Content Automation Protocol (SCAP) definition and content NIST Windows Security Baseline Database Set_FDCC_LGPO.exe (Microsoft – http://blogs.technet.com/fdcc)
6
INL Review Process Compared currently implemented Minimum Security Configurations to FDCC Categorized FDCC “Gap” settings by impact and risk Evaluated required enterprise changes for “medium” and “high” impact settings – Example: “Digitally sign communications (always)” Focused on “high” risk and “low” impact settings Spreadsheet developed to help evaluate these factors
7
Sample Evaluation Spreadsheet
8
Implementation Specifics Settings were deployed using domain Group Policies Initial FDCC Group Policy was equivalent to existing security settings Incorporated settings with “low” impact first Testing and phased rollouts of “medium” impact settings Continually working on making necessary changes to accommodate “high” impact and “high” risk settings Implemented by small team over a 3 month period
9
Dealing With Some Of The “Gotchas” Least User Privileges / Access (LUA) – INL had implemented LUA principles previous to FDCC – BeyondTrust Privilege Manager Upgraded to latest version Renewed focus on generating new rules Exceptions and Deviations – Example: Need for Local Printer Shares – Group Policy application by groups in addition to OU Internally developed program to control Group Policy application
10
Active Directory Interface
11
History Log
12
Ongoing Work Continue to evaluate / test / implement “Gap” settings Incorporation of SCAP scanning tools into existing vulnerability scans Refine and enhance process for exceptions and variances Revisit previous exceptions and develop appropriate single variance policies Reduce / Eliminate the number of “exempted” systems Extend the FDCC strategy to Non-Windows systems and Servers
13
Questions Contact Info Justin Hansen (208) 526-6584 Justin.Hansen@inl.gov
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.