The Federal Desktop Core Configuration is a list of security settings recommended by the National Institute of Standards and Technology for general-purpose microcomputers that are connected directly to the network of a United States government agency.
FDCC Major Version 1.1 (as with all previous versions) applies only to Windows XP and Vista desktop and laptop computers.
History
In 20 March 2007 the Office of Management and Budget issued a memorandum instructing United States government agencies to develop plans for using the Microsoft Windows XP and Vista security configurations.[1][2] The United States Air Force common security configurations for Windows XP were proposed as an early model on which standards could be developed.[2]
The FDCC baseline was developed (and is maintained) by the National Institute of Standards and Technology in collaboration with OMB, DHS, DISA, NSA, USAF, and Microsoft,[2] with input from public comment.[3] It applies to Windows XP Professional SP2 and Vista systems only—these security policies are not tested (and according to the NIST, will not work) on Windows 9x/ME/NT/2000 or Windows Server 2003.[3]
Requirements
Organizations required to document FDCC compliance can do so by using SCAP tools.
Released in 20 June 2008, FDCC Major Version 1.0 specifies 674 settings.[3] For example, "all wireless interfaces should be disabled".[4] In recognition that not all recommended settings will be practical for every system, exceptions (such as "authorized enterprise wireless networks") can be made if documented in an FDCC deviation report.[4][2]
Major Version 1.1 (released 31 October 2008) has no new or changed settings, but expands SCAP reporting options.[3] As with all previous versions, the standard is applicable to general-purpose workstations and laptops for end users. Windows XP and Vista systems in use as servers are exempt from this standard. Also exempt are embedded computers and "special purpose" systems (defined as specialized scientific, medical, process control, and experimental systems), though [further explanation needed] still recommends that FDCC security configuration be considered "where feasible and appropriate".[5]
References
- ^ "F D C C Additional NIST Frequently Asked Questions – How do I report compliance and deviations?". National Vulnerability Database. National Institute of Standards and Technology.
- ^ a b c d Evans, Karen S. (2007-03-20). "Managing Security Risk By Using Common Security Configurations" (DOC). Retrieved 2009-03-02.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ a b c d "F D C C download page". National Vulnerability Database. National Institute of Standards and Technology.
- ^ a b "F D C C Additional NIST Frequently Asked Questions – Are there any conditions under which wireless is allowed?". National Vulnerability Database. National Institute of Standards and Technology.
- ^ "F D C C Additional NIST Frequently Asked Questions – Is FDCC applicable to special purpose (e.g., scientific, medical, process control, and experimental systems) computers?". National Vulnerability Database. National Institute of Standards and Technology.