By Joab Jackson
Ensuring that each agency desktop computer is compliant with the Office
of Management and Budget's Federal Desktop Core Configuration requires
16 checks that need to be done by hand. Such manual checks can
complicate agency efforts to hit today's OMB deadline for reporting FDCC
compliance, said Amrit Williams, chief technology officer at enterprise
systems and security management company BigFix.
"It puts a lot of burden on the folks who have to generate the reports
and do the assessments, he said. Most people are struggling just to do
the automated stuff. Not only must they scan their environments to
generate a report, but they have to modify the [resulting] reports to
accommodate information coming from these manual checks."
Today is the day agencies must submit a report to OMB about how many
computers they have that are compliant with FDCC settings. NIST is also
expected today to release a list of those tools that can perform the
FDCC checks automatically. While some companies already offer automated
scanning tools, these tools probably will not be able to execute all the
checks required under FDCC.
According to Mitre lead information security engineer Andrew Buttner,
who spoke at the National Institute of Standards and Technology's 2008
Federal Desktop Core Configuration Implementers Workshop last week, a
FDCC Security Content Automation Protocol testing team found that 98
percent of the checks needed for FDCC could be done automatically.
However, Windows Vista, Windows XP and Internet Explorer all had
settings that could only be updated and checked by hand.
Buttner said Windows XP has a total of 279 FDCC checks and Windows Vista
has 328 FDCC checks. In addition, Internet Explorer 7, which runs on
both operating systems, has an additional 122 FDCC checks.
Of these sets, Windows XP has seven items that need to be checked by
hand, Windows Vista has eight checks and Internet Explorer has one.
"We mark those 16 as unknown tests in the content, which basically says
it is unknown how to automate the checking of that setting," Buttner
said. The unknown status means either that the check cannot be automated
or that the checking process doesn't work, the documentation states.
The SCAP team is currently working with Microsoft to find ways that
these settings could be checked in an automated fashion. "They are the
subject matter experts and hopefully know how to perform that test,"
Buttner said. "As of today, we're still waiting to get those answers
Among the checks that remain unautomated include those that offer the
ability to check IPv6 settings in the firewall, and to check some
Kerberos settings with Windows XP and Windows Vista, and one in Internet
Explorer that permits the browser to automatically install programs.
Until some sort of path to automation is provided, Williams said, the
manual checks will "add a level of complexity" to all aspects of the
FDCC process, from reporting and assessment to remediation.
In some cases the administrators must visit each desktop computer, such
as the IPv6 settings, and check the setting from there. With other
checks, such as those around Kerberos, they can be checked at the server
Plus the manual checks introduce yet another level of complexity, if the
agency is using an external party to manage their computers. "If they
are using an automated tool, it is agreed upon that they do not have to
interact with the server operation team they can just run the tool and
generate the report, Williams said. But if they do not own the box, now
they have to go to the third party and ask them to do the manual
How much this affects agencies trying to get in compliance with FDCC is
an open question.
Agencies have two choices, they can do the checks manually or use
nonvalidated SCAP-capable tools and accept some risk, said Peter Mell,
who leads NISTs SCAP project. There are hundreds of settings, but it can
be done. We have a staff member who does it regularly.
Williams' company BigFix offers software (BigFix Enterprise Server) that
does asset discovery and compliance testing and enforcement, and
includes a template for checking network machines for FDCC compliance.
Like other offerings, the software has to work around the manual checks.
"We're struggling with the same issues that everyone else is, Williams
said. So we just have a note in our report that says it does not include
the following checks."
Jason Miller contributed to this report.
Subscribe to InfoSec News