Federal Desktop Core Configuration
Encyclopedia
The Federal Desktop Core Configuration is a list of security
settings recommended by the National Institute of Standards and Technology
for general-purpose microcomputers that are connected directly to the network of a United States government agency.
FDCC Major Version 1.1 (as with all previous versions) applies only to Windows XP
and Vista
desktop and laptop computers.
common security configurations for Windows XP were proposed as an early model on which standards could be developed.
The FDCC baseline was developed (and is maintained) by the National Institute of Standards and Technology
in collaboration with OMB, DHS
, DOI
, DISA
, NSA
, USAF
, and Microsoft
, with input from public comment
. It applies to Windows XP Professional and Vista systems only—these security policies are not tested (and according to the NIST, will not work) on Windows 9x/ME/NT/2000 or Windows Server 2003.
can do so by using SCAP
tools.
Released in 20 June 2008, FDCC Major Version 1.0 specifies 674 settings. For example, "all wireless interfaces should be disabled". In recognition that not all recommended settings will be practical for every system, exceptions (such as "authorized enterprise wireless networks") can be made if documented in an FDCC deviation report.
Major Version 1.1 (released 31 October 2008) has no new or changed settings, but expands SCAP reporting options. As with all previous versions, the standard is applicable to general-purpose workstations and laptops for end users. Windows XP and Vista systems in use as servers are exempt from this standard. Also exempt are embedded computer
s and "special purpose" systems (defined as specialized scientific
, medical
, process control
, and experimental systems), though still recommends that FDCC security configuration be considered "where feasible and appropriate".
For Windows 7, the FDCC was replaced by the United States Government Configuration Baseline (USGCB).
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
settings recommended by the National Institute of Standards and Technology
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
for general-purpose microcomputers that are connected directly to the network of a United States government agency.
FDCC Major Version 1.1 (as with all previous versions) applies only to Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
desktop and laptop computers.
History
In 20 March 2007 the Office of Management and Budget issued a memorandum instructing United States government agencies to develop plans for using the Microsoft Windows XP and Vista security configurations. The United States Air ForceUnited States Air Force
The United States Air Force is the aerial warfare service branch of the United States Armed Forces and one of the American uniformed services. Initially part of the United States Army, the USAF was formed as a separate branch of the military on September 18, 1947 under the National Security Act of...
common security configurations for Windows XP were proposed as an early model on which standards could be developed.
The FDCC baseline was developed (and is maintained) by the National Institute of Standards and Technology
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
in collaboration with OMB, DHS
United States Department of Homeland Security
The United States Department of Homeland Security is a cabinet department of the United States federal government, created in response to the September 11 attacks, and with the primary responsibilities of protecting the territory of the United States and protectorates from and responding to...
, DOI
United States Department of the Interior
The United States Department of the Interior is the United States federal executive department of the U.S. government responsible for the management and conservation of most federal land and natural resources, and the administration of programs relating to Native Americans, Alaska Natives, Native...
, DISA
Defense Information Systems Agency
The Defense Information Systems Agency is a United States Department of Defense agency that provides information technology and communications support to the President, Vice President, Secretary of Defense, the military Services, and the Combatant Commands.As part of the Base Realignment and...
, NSA
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
, USAF
United States Air Force
The United States Air Force is the aerial warfare service branch of the United States Armed Forces and one of the American uniformed services. Initially part of the United States Army, the USAF was formed as a separate branch of the military on September 18, 1947 under the National Security Act of...
, and Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, with input from public comment
Notice of proposed rulemaking
A notice of proposed rulemaking is a public notice issued by law when one of the independent agencies of the United States government wishes to add, remove, or change a rule or regulation as part of the rulemaking process. It is an important part of United States administrative law which...
. It applies to Windows XP Professional and Vista systems only—these security policies are not tested (and according to the NIST, will not work) on Windows 9x/ME/NT/2000 or Windows Server 2003.
Requirements
Organizations required to document FDCC complianceRegulatory compliance
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...
can do so by using SCAP
Security Content Automation Protocol
The Security Content Automation Protocol is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation . The National Vulnerability Database is the U.S...
tools.
Released in 20 June 2008, FDCC Major Version 1.0 specifies 674 settings. For example, "all wireless interfaces should be disabled". In recognition that not all recommended settings will be practical for every system, exceptions (such as "authorized enterprise wireless networks") can be made if documented in an FDCC deviation report.
Major Version 1.1 (released 31 October 2008) has no new or changed settings, but expands SCAP reporting options. As with all previous versions, the standard is applicable to general-purpose workstations and laptops for end users. Windows XP and Vista systems in use as servers are exempt from this standard. Also exempt are embedded computer
Embedded system
An embedded system is a computer system designed for specific control functions within a larger system. often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts. By contrast, a general-purpose computer, such as a personal...
s and "special purpose" systems (defined as specialized scientific
Computational science
Computational science is the field of study concerned with constructing mathematical models and quantitative analysis techniques and using computers to analyze and solve scientific problems...
, medical
Health informatics
.Health informatics is a discipline at the intersection of information science, computer science, and health care...
, process control
Programmable logic controller
A programmable logic controller or programmable controller is a digital computer used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures. PLCs are used in many industries and machines...
, and experimental systems), though still recommends that FDCC security configuration be considered "where feasible and appropriate".
For Windows 7, the FDCC was replaced by the United States Government Configuration Baseline (USGCB).