Security Advisor

Alphabet Soup

The government is stepping in to help you protect your systems. Just be prepared for a lot of acronyms.

• By Joern Wettern
• 03/01/2008

Meet NIST, NCP, FDCC and SCAP
Whenever you're dealing with government agencies, you can expect an alphabet soup. The same holds true in the quest for security guidance. The best starting point is the National Institute for Standards and Technology (NIST).

In cooperation with other federal agencies, the NIST has developed the National Checklist Program (NCP). On its Web site (http://checklists.nist.gov), it has 149 IT security checklists that cover 144 products, from Windows and Linux to network switches and multifunction printers.

All of these checklists are loaded with practical security guidance and lists of settings required to configure a product or type of application in order to meet various security requirements. The checklists often include associated tools you can download and use to easily implement the checklist settings. Best of all, the checklists are intended for a wide range of audiences, whether you're securing systems for a standalone environment, small office or home office environment, or a large managed network.

The checklist program also acts as a central repository of best practices developed not only by NIST itself, but also by other government agencies and product vendors. Actually, anyone can submit a security checklist, but it goes through an extensive public review process before it's added the repository.

The crown jewel of NIST's repository is the Federal Desktop Core Configuration (FDCC) baseline. As of Feb. 1, the Office of Management and Budget (OMB) requires all federal agencies to implement security settings in these baselines on all general-purpose computers running Windows XP or Windows Vista. There are similar baselines for other operating systems in the works.

When you see the NIST Checklist logo, it's your guarantee that a security checklist has been thoroughly reviewed.

If It's Good for the Feds ...
Your needs for securing your computers are probably not all that different from the government's, so you should be able to adopt many of the configuration settings. Keep in mind that some items might not meet your requirements, so make sure you review the reasons why they were selected and the impact they would have on your own network. For example, the FDCC baseline mandates turning off wireless networking by default, which may not be an option for you.

Security baselines have been available for a long time. Even in the days of Windows NT, you could get your hands on similar documents from various sources like Microsoft and the National Security Agency (NSA). However, the FDCC baseline represents a new generation of these tools.

As you might expect, they include a lot of documentation and Group Policy Objects (GPOs) to help you implement the baseline settings. You can also download VHD-based images of virtual machines configured according to the standards. You can run these images with Microsoft's Virtual Server or Virtual PC.

Another new aspect is that the FDCC checklists are compatible with the new Security Content Automation Protocol (SCAP, pronounced s-cap). SCAP is a standard for storing configuration settings in XML templates that a number of commercial security assessment tools can use. There are only a small number of products officially SCAP-validated right now. Most vendors who produce vulnerability scanning products are adopting SCAP, though, so you can expect the list of validated products to grow fairly quickly.

Where to Start
Due to the sheer number of programs and resources available from the NIST site, it's easy to get overwhelmed. Here's a short roadmap, using the FDCC Windows Vista configuration as an example. After taking a look at the long inventory of checklists here, navigate to the much shorter list of FDCC checklists.

The Windows Vista bundle contains what you need to secure the core OS settings. You may want to come back later for Vista firewall and IE7 baseline configurations, though.

The FDCC Prose Guide contains descriptions of all settings that are part of the baseline. This acts as your main reference. For example, you can learn what exactly the GPO setting "Enable Safe DLL search mode" does.

Next, download the configuration content. The FDCC documentation is an Excel spreadsheet with specific values for each of the baseline settings. For example, you'll find that the baseline enables Safe DLL search mode.

This would also be a good time to download the GPO package, which contains all the Group Policy files you'll need to implement the baseline on your own computers. Before using the GPOs, take some time to review the documentation. Some of the FDCC baseline settings may not be appropriate for your needs. They may even break some of your applications.

A great way to test how the baseline might work for you is to download the associated virtual machines and use them for testing. Review the download and activation instructions. Once you've identified any setting changes you need to make, you can use the Windows Group Policy Management Console to import the GPOs you downloaded and edit them accordingly.

To test whether a system meets the FDCC requirements, scan it with an SCAP scanner. The quickest way to do this is to download and try Secutor Prime from ThreatGuard, one of the SCAP-validated scanners. The free edition, available for non-commercial here, will perform a complete system scan. It won't configure any settings for you, however.

Running a SCAP scan can be an illuminating experience in and of itself. For example, when I ran Secutor Prime on my own primary workstation, it found more than 100 items off the FDCC baseline. Most of my settings are appropriate for my environment, which doesn't need to comply with any government standards, but doing the scan helped me assess where I stand.

Taking It to the Next Step
As mentioned before, NIST makes many more security checklists available beyond the ones covering FDCC requirements. For example, the "Desktop Application Security Technical Implementation Guide," developed by McAfee, Microsoft, Netscape and Symantec, covers how to securely configure a number of off-the-shelf products, such as McAfee VirusScan, Microsoft Office 2000 and 2003,

Firefox and Symantec AntiVirus. This checklist is a rather lengthy document and doesn't include SCAP tools (those are available for Office 2007). It does have many useful hints for securing desktops, though.

The DNS checklist contains configuration recommendations for several DNS server implementations, including Microsoft's and BIND. It also outlines a number of administrative procedures to improve security.

Even with the multitude of content that NIST has made available, the current state of the repository is only the beginning. The amount of available content is expected to continue to grow steadily. At the same time, most security scanners are moving to the SCAP standard.

As there are additional SCAP-compliant templates developed, you'll be able to easily perform ongoing security scans to compare your own network's security with a wide range of baselines. Using the checklists and performing regular scans will make it much easier to establish the baseline appropriate for your own network and to apply it consistently across your own computers.