FDCC Implementation Efforts at Idaho National Laboratory

1. FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009

2. Overview • What is FDCC and where did it come from? • Review process for the FDCC policy settings • Specific implementation steps • Dealing with some of the “Gotchas” • Ongoing work • Other information resources

3. INL’s IT By The Numbers • 12,000 IT Devices owned by INL • 9,000 Devices on the Network • 5,500 Desktop & Laptop Computers • OS’s (~85% Windows, 9% Mac’s, 6% Linux) • Dell Shop (95% Windows Based Computers are Dells) • Office Desktops – Dell Optiplex • Laptops – Dell Latitudes • Engineering Workstations – Dell Precisions

4. What Is FDCC And Where Did It Come From? • FDCC: Federal Desktop Core Configuration • Office of Management and Budget (OMB) March, 2007 • Windows XP FDCC was based on Air Force customizations to the settings of NIST 800-68 checklist • Used the “Specialized Security Limited Functionality” settings (SSLF) • Windows Vista and IE 7 FDCC was based on DoD customizations of the Microsoft Security Guides • Recommendations have been developed for Windows Vista, Windows XP and Internet Explorer

5. NIST Provided Resources For FDCC • Ready made Group Policy Objects • Microsoft Virtual PC “VHDs” for testing • Security Templates for Microsoft Security Configuration and Analysis Tool • Security Content Automation Protocol (SCAP) definition and content • NIST Windows Security Baseline Database • Set_FDCC_LGPO.exe (Microsoft – http://blogs.technet.com/fdcc)

6. INL Review Process • Compared currently implemented Minimum Security Configurations to FDCC • Categorized FDCC “Gap” settings by impact and risk • Evaluated required enterprise changes for “medium” and “high” impact settings • Example: “Digitally sign communications (always)” • Focused on “high” risk and “low” impact settings • Spreadsheet developed to help evaluate these factors

7. Sample Evaluation Spreadsheet

8. Implementation Specifics • Settings were deployed using domain Group Policies • Initial FDCC Group Policy was equivalent to existing security settings • Incorporated settings with “low” impact first • Testing and phased rollouts of “medium” impact settings • Continually working on making necessary changes to accommodate “high” impact and “high” risk settings • Implemented by small team over a 3 month period

9. Dealing With Some Of The “Gotchas” • Least User Privileges / Access (LUA) • INL had implemented LUA principles previous to FDCC • BeyondTrust Privilege Manager • Upgraded to latest version • Renewed focus on generating new rules • Exceptions and Deviations • Example: Need for Local Printer Shares • Group Policy application by groups in addition to OU • Internally developed program to control Group Policy application

10. Active Directory Interface

11. History Log

12. Ongoing Work • Continue to evaluate / test / implement “Gap” settings • Incorporation of SCAP scanning tools into existing vulnerability scans • Refine and enhance process for exceptions and variances • Revisit previous exceptions and develop appropriate single variance policies • Reduce / Eliminate the number of “exempted” systems • Extend the FDCC strategy to Non-Windows systems and Servers

13. Questions Contact Info Justin Hansen (208) 526-6584 Justin.Hansen@inl.gov