[ISN] Retrofitting PCs with a standard configuration poses unique challenges

From: InfoSec News (alerts@private)
Date: Wed Feb 20 2008 - 23:00:43 PST


http://www.gcn.com/print/27_4/45842-1.html

By Joab Jackson and Jason Miller
GCN.com
02/18/08

All roads in the federal government may lead to a standard configuration 
for Windows PCs, but those roads cross different terrains. Some agencies 
have made significant progress complying with the Federal Desktop Core 
Configuration, but others are experiencing considerable challenges, if 
the presentations and discussions at a recent FDCC workshop are any 
indication.

The Army and Interior Department are among those on track to implement 
FDCC across their organizations. But some other agencies have unique 
functions and workforce arrangements that pose a challenge to 
retrofitting desktops to FDCC, agency officials and industry experts 
say.

Moreover, adoption of FDCC could be slow for some agencies because 
ensuring that each agency PC complies with Office of Management and 
Budget mandates will require 16 checks that must be done by hand, adding 
complexity to the process.

Last year, OMB ordered agencies to upgrade their PCs. Those PCs running 
Microsoft Windows XP or Windows Vista must conform to FDCC. Authored by 
the National Institute of Standards and Technology and National Security 
Agency with the help of Microsoft, FDCC is a set of operating system 
configurations designed to improve security. The configuration would, 
for example, turn off unused services and run users applications in 
user, rather than administrator, mode.

By Feb. 1, agencies were to give OMB a summary of the total number of 
desktop PCs they have running Microsoft Windows XP and Windows Vista, 
along with the total of those that are FDCC-compliant.

By March 31, agencies must submit a technical report to NIST and OMB 
about the status of their implementations.

The move to a standard configuration will change the way some employees 
work. At the workshop NIST hosted last month, Blair Heiserman, who works 
in the agencys Office of the Chief Information Officer, noted that some 
NIST employees, being technically inclined, write their own device 
drivers. Unsigned drivers are not permitted under FDCC, though Vista 
allows administrators to sign drivers.

Jim Donohue, from the Agriculture Departments Office of the CIO, said 
many of the agencys laptop PCs are used by field personnel, which could 
also pose a challenge to quick compliance.

Because of the peripatetic nature of the field employees jobs, their 
laptops are infrequently checked into the network. Some may go as long 
as a year between visits.

And because field employees need to install their own software, they are 
given administrative rights, which is prohibited under FDCC.

Another challenge is how to address the manual checks of PCs that agency 
information technology employees need to perform to comply with FDCC. 
Such manual checks can complicate agency efforts to hit OMB deadlines 
for reporting FDCC compliance, said Amrit Williams, chief technology 
officer at enterprise systems and security management company BigFix.

It puts a lot of burden on the folks who have to generate the reports 
and do the assessments, he said. Most people are struggling just to do 
the automated stuff. Not only must they scan their environments to 
generate a report, but they have to modify the [resulting] reports to 
accommodate information coming from these manual checks.


Checking up

Although some companies already offer automated scanning tools, these 
tools probably will not be able to execute all the checks required under 
FDCC.

Mitre lead information security engineer Andrew Buttner, who spoke at 
the NIST workshop, said an FDCC Security Content Automation Protocol 
(SCAP) testing team found that 98 percent of the checks needed for FDCC 
could be done automatically. However, Windows Vista, Windows XP and 
Internet Explorer all had some settings that could only be updated and 
checked by hand.

Buttner said Windows XP has a total of 279 FDCC checks and Windows Vista 
has 328 FDCC checks. In addition, Internet Explorer 7, which runs on 
both operating systems, has an additional 122 FDCC checks.

Of these sets, Windows XP has seven items that need to be checked by 
hand, Windows Vista eight, and Internet Explorer one.

The SCAP team is working with Microsoft to find ways to check these 
settings automatically.

They are the subject matter experts and hopefully know how to perform 
that test, Buttner said. As of today, were still waiting to get those 
answers back.

The checks that remain unautomated include those that offer the ability 
to check IPv6 settings in the firewall and check some Kerberos settings 
with Windows XP and Windows Vista. One in Internet Explorer permits the 
browser to install programs automatically.

Until some sort of path to automation is provided, Williams said, the 
manual checks will add a level of complexity to all aspects of the FDCC 
process, from reporting and assessment to remediation.

How much this affects agencies trying to comply with FDCC is an open 
question.

Agencies have two choices, they can do the checks manually or use no 
validated SCAP-capable tools and accept some risk, said Peter Mell, who 
leads NISTs SCAP project. There are hundreds of settings, but it can be 
done. We have a staff member who does it regularly.

Meanwhile, a new Web page hosted by NIST lists products that have been 
validated to scan the security configurations of Windows operating 
systems on federal PCs.

The scanners use SCAP to check for compliance with the FDCC standards. 
So far, three products have been validated under NISTs National 
Voluntary Laboratory Accreditation Program. (For more on SCAP, see 
GCN.com, Quickfind 966.)


Success stories

There are a fair number of FDCC success stories. Interior has laid the 
groundwork to prepare for FDCC, said Bill Corrington, chief technology 
officer at Interior.

Implementing FDCC is a particular challenge because of the agencys 
federated nature; Interior consists of 13 relatively independent bureaus 
and offices.

Each one has its own CIO, its own CTO and its own IT security manager, 
he said. The keys to success were planning and communications.

Early last year, the agency convened a joint team from these ranks of 
CTOs, CIOs and chief information security officers to develop a plan of 
execution. The plan was then presented to executive management and 
submitted to OMB.

The agency then assembled a smaller team of technical experts in Windows 
and Active Directory to establish a baseline configuration.

We really wanted to have people who knew what they were doing to study 
the issue, Corrington said.

The team tested the settings and came up with a set of draft 
configurations, which were reviewed by all Interior agencies. We had a 
couple of bureaus say they were fine out of the box, and we had a couple 
that had 15 or so settings that they had issues with. But it was a 
relatively small number, Corrington said.

In some cases, FDCC was even less stringent than the bureaus policies, 
so those bureaus could keep the existing settings in place.

Interior will distribute the FDCC configuration through a set of files 
that administrators can then install on desktop computers.

For tracking compliance among bureaus, the agency has extended its 
process for tracking Federal Information Security Management Act 
compliance to also handle FDCC. We wanted to use the existing process 
and not use something new, Corrington said.

The Army has more than 800,000 desktop computers that need to be 
FDCC-compliant.

Although that is a big job, the service was ahead of the game because of 
an existing standardized Windows XP configuration it already put in 
place, called the Golden Master program.

Since August 2006, if you have a computer in the Army, you are required 
to have the Army Golden Master on your computer, said Amy Harding, who 
works in the Army CIO office.

Because the Golden Master image was based on Microsoft, NIST and Defense 
Information Systems Agency security guidelines, updating them to FDCC 
involved relatively few modifications.

The CIOs office released the first FDCC-compliant Golden Master image in 
August and plans to update its image as changes in FDCC occur.

For those Army offices that do not want to re-image their computers each 
time an update occurs, the program also offers Group Policy Objects 
settings that could be passed down to the desktop computers through the 
Armys Active Directory structure. The Army is also modifying its 
contracts with suppliers to require new desktop computers to have the 
Golden Master FDCC versions of the operating systems installed.

However, not all agencies FDCC deployments are as smooth as the 
deployments at the Army and Interior.

After the formal presentations, one audience member said agency 
officials had a choice: Implement FDCC and take down their entire 
network serving 180,000 users or tell the agency secretary that the 
agency will get a red score from OMB on this yearlong mandate.

FDCC crashes our system, said the audience member, who did not identify 
the agency. OMBs initial assumption is wrong that you can apply the FDCC 
without breaking your system.

Wendy Liberante, OMBs policy analyst heading the FDCC initiative, gave 
an impromptu talk at the workshop, to clarify what OMB wanted for the 
Feb. 1 deadline. If you are not compliant, we want to know how far off 
you are, Liberante said. We want agencies to understand their universe 
and have a plan to get to FDCC compliance.

She also emphasized that when agencies submit their detailed technical 
reports to NIST and OMB, which are due March 31, they are not to 
consider deviations they disclose to be waivers.

Rather, the deviations are issues that NIST and OMB will work through to 
see if they are true problems or something that can be fixed.

William Jackson contributed to this story.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Feb 20 2008 - 23:08:15 PST