Presentation is loading. Please wait.

Presentation is loading. Please wait.

FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009.

Published byNeal Halls Modified over 9 years ago

Similar presentations

Presentation on theme: "FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009."— Presentation transcript:

1 FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009

2 Overview What is FDCC and where did it come from? Review process for the FDCC policy settings Specific implementation steps Dealing with some of the “Gotchas” Ongoing work Other information resources

3 INL’s IT By The Numbers 12,000 IT Devices owned by INL 9,000 Devices on the Network 5,500 Desktop & Laptop Computers OS’s (~85% Windows, 9% Mac’s, 6% Linux) Dell Shop (95% Windows Based Computers are Dells) Office Desktops – Dell Optiplex Laptops – Dell Latitudes Engineering Workstations – Dell Precisions

4 What Is FDCC And Where Did It Come From? FDCC: Federal Desktop Core Configuration Office of Management and Budget (OMB) March, 2007 Windows XP FDCC was based on Air Force customizations to the settings of NIST 800-68 checklist – Used the “Specialized Security Limited Functionality” settings (SSLF) Windows Vista and IE 7 FDCC was based on DoD customizations of the Microsoft Security Guides Recommendations have been developed for Windows Vista, Windows XP and Internet Explorer

5 NIST Provided Resources For FDCC Ready made Group Policy Objects Microsoft Virtual PC “VHDs” for testing Security Templates for Microsoft Security Configuration and Analysis Tool Security Content Automation Protocol (SCAP) definition and content NIST Windows Security Baseline Database Set_FDCC_LGPO.exe (Microsoft – http://blogs.technet.com/fdcc)

6 INL Review Process Compared currently implemented Minimum Security Configurations to FDCC Categorized FDCC “Gap” settings by impact and risk Evaluated required enterprise changes for “medium” and “high” impact settings – Example: “Digitally sign communications (always)” Focused on “high” risk and “low” impact settings Spreadsheet developed to help evaluate these factors

7 Sample Evaluation Spreadsheet

8 Implementation Specifics Settings were deployed using domain Group Policies Initial FDCC Group Policy was equivalent to existing security settings Incorporated settings with “low” impact first Testing and phased rollouts of “medium” impact settings Continually working on making necessary changes to accommodate “high” impact and “high” risk settings Implemented by small team over a 3 month period

9 Dealing With Some Of The “Gotchas” Least User Privileges / Access (LUA) – INL had implemented LUA principles previous to FDCC – BeyondTrust Privilege Manager Upgraded to latest version Renewed focus on generating new rules Exceptions and Deviations – Example: Need for Local Printer Shares – Group Policy application by groups in addition to OU Internally developed program to control Group Policy application

10 Active Directory Interface

11 History Log

12 Ongoing Work Continue to evaluate / test / implement “Gap” settings Incorporation of SCAP scanning tools into existing vulnerability scans Refine and enhance process for exceptions and variances Revisit previous exceptions and develop appropriate single variance policies Reduce / Eliminate the number of “exempted” systems Extend the FDCC strategy to Non-Windows systems and Servers

13 Questions Contact Info Justin Hansen (208) 526-6584 Justin.Hansen@inl.gov

14

Download ppt "FDCC Implementation Efforts at Idaho National Laboratory Justin Hansen NLIT 2009."

Similar presentations

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Content Overview Update Process Additional Tools.

Content Overview Update Process Additional Tools.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.

IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
How PNNL Manages Windows Desktops 1 Will Jorgensen.

How PNNL Manages Windows Desktops 1 Will Jorgensen.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 8: Implementing and Managing Printers.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
OIT's Unity Labs Active Directory Windows Environment.

OIT's Unity Labs Active Directory Windows Environment.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

Similar presentations

Ads by Google