, SecurityFocus 2008-02-04
Federal agencies failed to meet a Friday deadline to complete a move to standardized desktop configurations designed to reduce management costs and improve the overall computer security of federal systems.
The initiative, known as the Federal Desktop Core Configuration (FDCC), mandates that all U.S. federal agencies lock down their general-use desktop computers using a set of more secure settings. Created by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS) and the Department of Defense (DOD), the five standard configurations apply to Microsoft's Windows XP, Windows Vista, the firewall software included with the two operating systems, and Internet Explorer 7.
While the U.S. Office of Management and Budget set February 1 as the deadline for complying with the FDCC, few of the agencies represented at a recent meeting of 1,700 federal information-technology workers expected to make to deadline.
"One agency (representative) stood up and said we are there today -- the other agencies shared their challenges in complying," said Stephen Quinn, a computer scientist with the National Institute of Standards and Technology (NIST).
The Federal Desktop Core Configuration initiative builds upon a project begun by the U.S. Air Force in 2004, when the military service branch required that all Windows computers conform to one of three different configurations. While improving desktop security was the primary motivation for the program, the Air Force ended up cutting 30 percent from its information-technology management budget after completing the initiative.
In March 2007, the Office of Management and Budget mandated that a similar program be adopted government wide and set February 1 as the deadline for compliance.
"It is critical for all Federal agencies to put in place the proper governance structure with appropriate policies to ensure a very small number of secure configurations are allowed to be used," Clay Johnson, deputy director for management at the OMB, wrote in a March 27 memorandum (pdf), adding that among the benefits "information is more secure, overall network performance is improved, and overall operating costs are lower."
The Federal Desktop Core Configuration consists of more than 700 settings designed to minimized the number of potential entry points -- also known as the "attack surface area" -- of the operating system. A specific Windows XP or Windows Vista computer will generally have to abide by three of the configurations: one locking down the operating system, another hardening the firewall and a third to secure Internet Explorer 7. The FDCC limits software, such as instant messaging software and file-sharing software, as well as requires that wireless hardware be turned off by default.
However, at the FDCC Implementers Workshop held in late January, the vast majority of agencies had not reached 100 percent compliance, according to attendees interviewed by SecurityFocus. Most agencies have complied with 95 percent to 98 percent of the required settings in the configuration, Shelly Bird, architect in Microsoft's Consulting Services for the U.S. Public Sector, said in an e-mail interview.
"Customers that have decentralized purchasing, little to no central control of their systems, and have their typical users used to running with Local Administrator instead of the recommended User rights, are the ones who have the most work to do," Bird told SecurityFocus.
At least one agency claimed that the settings would break its network, according to an article in Federal Computer Week.