The Official, Unofficial, Federal Desktop Core Configuration [FDCC] Blog

Shavlik Security Suite Receives SCAP Validation from NIST

2008-07-09T08:44:00.000-07:00

Shavlik Technologies' Validated Security and Compliance Solutions Deliver Standardization Benefits for Government and Commercial IT Organizations

ST. PAUL, Minn.--(BUSINESS WIRE)--Shavlik Technologies, the market leader in delivering software solutions that rapidly accelerate and continuously improve security and compliance readiness, today announced that the Shavlik Security Suite has earned Security Content Automation Protocol (SCAP) validation, a U.S. government-mandated initiative for standards-based security automation. more

Federal Desktop Core Configuration Seminar

2008-06-03T17:58:00.000-07:00

Microsoft, Hewlett-Packard, Intel and Persystent to Present at Federal Desktop Core Configuration and PC Industry Leader Seminars

Event #1: Federal Desktop Core Configuration Seminar
Location: Grand Hyatt, 1000 H Street NW, Washington, D.C.
Day/Time: June 5, 2008, 7:30 a.m. - 10:30 a.m. ET
Presenter: Will Corkery, Director of Sales of Persystent Technologies

Event #2: PC Industry Leadership Seminar
Location: Westin Galleria, 5060 West Alabama, 24th Floor, Houston, Tex.
Day/Time: June 6, 2008, 7:30 a.m. - 10:30 a.m. ET
Presenter: Will Corkery, Director of Sales of Persystent Technologies

For more details about the seminars, please visit: http://www.persystent.com/events.html

CignaCert Verify FDCC Compliance (YouTube)

2008-05-14T15:48:00.000-07:00

CignaCert Verify FDCC Compliance (PDF Datasheet)

SignaCert Verify™ measures your desktops and compares them with the appropriate FDCC reference specification and reports on compliance status. If your desktops don't match, SignaCert Verify will deliver a detailed list of specific deviations providing you a clear path to achieving compliance. Simply download and run the client to view results.

This client scans the machine and creates an xml file with cryptographic hashes for the files it finds. Scanning is limited by policy to ONLY the C:\WINDOWS directories. NO USER DIRECTORIES ARE SCANNED. File types are also specified by policy. Only .bat, .cmd, .dll, .drv, .exe, .ocx, .scr, and .sys file types are scanned. NO USER FILES ARE SCANNED NOR IS ANY USER SPECIFIC INFORMATION CAPTURED. The xml file is sent to SignaCert Verify to compute the results. This transaction DOES NOT RECORD THE IP ADDRESS NOR ANY OTHER PERSIONALLY IDENTIFABLE INFORMATION.

Download

Nessus: Enterprise SCAP/FDCC Audits

2008-04-17T11:21:00.000-07:00

Nessus: Enterprise SCAP/FDCC Audits

Lumension Security Launches SCAP-Ready Security Configuration Management Solution, Allowing Enterprises to Proactively Manage Secure Settings and Comp

2008-04-09T08:04:00.001-07:00

SAN FRANCISCO, CA - RSA Conference 2008 - Lumension Security(TM) Inc., a recognized, global leader in security management formed by the combination of PatchLink® Corporation and SecureWave® S.A., today announced the availability of PatchLink Security Configuration Management (SCM). PatchLink SCM enables organizations to proactively assess secure configuration states of IT assets and automate internal and external audits in accordance with industry-recognized best practices.

PatchLink SCM leverages the National Institute of Standards and Technology's (NIST) open source Security Configuration Automation Protocol (SCAP) policies. The new offering is an enterprise-ready solution designed to perform a top-down threat analysis that reduces business risk, improves overall network performance and lowers costs while simultaneously addressing and meeting audit requirements. PatchLink SCM provides a comprehensive list of NIST's SCAP policies with more than 700 secure settings that directly map to industry regulations such as FDCC (Federal Desktop Core Configuration) and PCI DSS (Payment Card Industry Data Security Standard). The SCAP ready solution delivers customizable configuration templates based on industry best practices to help organizations quickly evaluate their security posture and determine the necessary remediation steps in order to maintain compliance with the industry security standard.

"Configuration security has become such a critical issue for both government and private industry in recent years that regulatory mandates -- including PCI DSS and FDCC -- have incorporated very specific configuration requirements," said Mike Wittig, president and CTO of Lumension Security. "Even with these mandates and standards in place, many organizations need the right configuration tools and automation to properly assess and maintain systems with specific settings on an ongoing basis. We have worked very closely with industry leaders such as NIST and the National Security Agency to develop this SCAP-ready solution that provides a top-down baseline of the security environment for standardizing and automating risk management, compliance reporting and security measurement."

Configuration issues are typically the result of changes made by employees within the firewall -- either intentionally or accidentally -- that open attack vectors for hackers. Default configurations for operating systems and applications are oftentimes not secure, and even when systems are initially secured, their configurations "drift" over time, resulting in reduced security posture, increased attack surface, application conflicts, reduced productivity and higher IT operating costs due to security incidents and helpdesk overhead.

In addition, according to the SANS Institute's best practices for preventing its top 20 risks, organizations should enforce configurations from the first day by implementing the most secure configurations that business processes will allow. Lumension Security's PatchLink SCM mitigates threats associated with mis-configured endpoints by providing out-of-the-box regulatory, standards-based assessment and industry best practices templates.

PatchLink SCM seamlessly integrates with Lumension Security's proven, industry-leading solutions, PatchLink Update and PatchLink Scan, to deliver a comprehensive, enterprise-class solution. This includes agent-based and agentless risk assessment of software flaws and configuration vulnerabilities, accurate remediation, continuous validation and policy compliance reporting. Lumension Security is currently working with an accredited laboratory to officially make its PatchLink Update and PatchLink Scan SCAP validated as part of the SCAP Validation Program. For more information, please visit http://nvd.nist.gov/scapproducts.cfm.

"The benefits of standardizing and automating secure configuration settings include slowing the spreading of botnets, radically reducing delays in patching and stopping many attacks directly. In addition, organizations that have addressed configuration issues typically report a significant cost savings," said Alan Paller, founder and research director of the SANS Institute.

Pricing & Availability

Lumension Security's PatchLink SCM will be available worldwide May 1, 2008. For more information, please visit the SCM product website. For a free 30-day trial of PatchLink SCM and Vulnerability Management Solution, please complete the product evaluation request form.

Source Link

Interactive:Threatguard's Secutor prime Pro

2008-03-26T22:08:00.000-07:00

Threatguard's Secutor prime Pro Interactive
FDCC Policy Validation Review
Deviation Manager Analysis
Compliance Reporting

FDCC Compliance Strengthens Attachmates Federal Government Pedigree

2008-03-16T18:01:00.001-07:00

Attachmate Corporation has announced that it has validated multiple products as compliant with critical Federal Desktop Core Configuration (FDCC) standards.

Eric Varness
VP of Marketing
Attachmate

The FDCC, a mandate of the Office of Management and Budget (OMB), is a set of security configurations developed by the National Institute of Standards and Technology (NIST) which cover Microsoft Windows Vista and Windows XP operating system software. FDCC-compliant products are those products compatible with the heightened security settings required on Microsoft Windows Vista and Windows XP operating systems deployed by U.S. government agencies.

The Attachmate products that have achieved compliance include:
    EXTRA!® 9.0, Service Pack 1
    INFOConnect 8.1 Service Pack 2
    Reflection® X 2008
    Reflection X 14.0.3
    Reflection Suite for X 14.0.3
    Reflection for IBM® 2007
    Reflection for IBM 14.0.3
    Reflection for UNIX and OpenVMS 14.0.3
    Reflection for HP 14.0.3

Based on customizations of the Microsoft Security Guides for Windows Vista, Windows XP and Internet Explorer 7.0, FDCC provides details on specific settings necessary for securing a Windows XP or Windows Vista configuration. Testing has confirmed that the specified Attachmate products run in the standard user context without elevated system administration privileges; that the standard installation, operation, maintenance, updating and/or patching behaviors of the products do not alter the approved FDCC configuration; and that the products are fully functional when run in an FDCC environment.

Attachmate's products were validated against both the NIST FDCC Microsoft Windows XP Q4/2007 and Windows Vista Q4/2007 reference images.

"Attachmate has a long history of working in partnership with federal customers to secure data-in-motion and to meet Federal Information Security Management Act (FISMA) requirements," said Tom Gdowik, director of federal sales at Attachmate. "With enterprise relationships at the U.S. Air Force, the U.S. Navy, the Defense Information Systems Agency (DISA), the U.S. Department of Veterans Affairs (VA), the Internal Revenue Service (IRS), Military Health Systems, the U.S. Postal Service and other federal agencies, we are committed to providing solutions that secure federal customers' critical data."

In addition to FDCC-compliant offerings, Attachmate also provides solutions that comply with Federal Information Processing Standard (FIPS) 140-2, JITC PKI certification, Section 508 and other federal certifications.

Attachmate® EXTRA! and Reflection are part of Attachmate's terminal emulation and secure host access product family, which provides secure connections to any host from any desktop, inside or outside the firewall. With Reflection's robust Web- and Windows-based products, customers can meet their host access needs while minimizing costs, maximizing IT flexibility and safeguarding critical business data. Attachmate Reflection works collaboratively or as a stand-alone tool, along with the company's host access, security and management products, to enable companies to extend the use of existing IT investments while adopting valuable new technologies to improve their business.

Reflection® Suite for X is Attachmate's premier multi-purpose PC X server and terminal emulation solution connecting Windows® users to applications on UNIX, OpenVMS, IBM, Unisys, and Linux systems. Advanced capabilities in the product allow organizations to minimize management costs, maximize IT flexibility and ensure high-level security for every connection.

For over 25 years, Attachmate has developed industry-leading products that are installed on over 16 million systems worldwide. Attachmate's entire range of solutions are backed by an award-winning team of highly trained and tenured service professionals who possess, on average, more than nine years of experience supporting Attachmate products. Organizations are switching to Attachmate and are realizing management, productivity and cost benefits in the process.

Attachmate, owned by an investment group led by Francisco Partners, Golden Gate Capital and Thoma Cressey Equity Partners, enables IT organizations to extend mission critical services and assure they are managed, secure and compliant. Attachmate's leading solutions include host connectivity, systems and security management, and PC lifecycle management. Our goal is to empower IT organizations to deliver trusted applications, manage service levels, and ensure compliance by leveraging knowledge, automation and secured connectivity.

For more information, visit www.attachmate.com.

Microsoft FDCC Webcast Series: Utility to apply FDCC settings to Local Group Policy

2007-12-19T08:34:00.000-08:00

Language(s): English.
Product(s): Other.
Audience(s): Developer,Government,IT Professionals,Technology Decision Maker.

Duration: 60 Minutes
Start Date:
Wednesday, December 19, 2007 12:00 AM Pacific Time (US & Canada)

Event Overview

Description: Demonstration and discussion of a new utility that applies FDCC GPO settings to the Local Group Policy of a target computer.

Target Audience: Technical

FDCC Resources

2007-11-10T08:40:00.000-08:00

Resources

Microsoft Resources

Security Guidance:

Government Resources

OMB memo 7-11, issued on March 22, 2007: "Implementaiton of Commonly Accepted Security Configurations for Windows Operating Systems."
OMB memo 7-18, issued on June 1, 2007 "Ensuring New Acquisitions Include Common Security Configurations."
NIST's FISMA homepage: "FISMA Implementation Project."
NIST FAQ on security guidance for Windows Vista: "Guidance for Securing Windows Vista."
Security Content Automation Protocol (SCAP), driven by NIST, OSD, DHS, NSA, and DISA: "The Information Security Automation Program and The Security Content Automation Protocol."
NIST's Security Configuration Checklist program: "Security Configuration Checklist Program for IT Products."
NIST's security guide for Windows XP: "Guidance for Security Microsoft Windows XP Systems for IT Professionals."

FDCC in the media

Federal Computer Week

OMB finalizes acquisition language for standard desktop configuration, June 5, 2007
OMB to help agencies with standardized desktop configuration, May 24, 2007
OMB: Vista is an opportunity to set desktop standards, March 26, 2007

Government Computing News

A Path to a Standard Desktop, June 4, 2007

Government Executive

OMB sets security standards for Windows computers, March 20, 2007

Information Week

White House Sets Single Security Configuration For Windows Computers, June 29, 2007

Source: Microsoft Technet FDCC Blog by Kurt Dillard

Microsoft FDCC Webcast Series: Scanning Your Standard Image and Systems for FDCC SCAP Compliance

2007-10-31T17:12:00.000-07:00

Language(s):	English.
Product(s):	Other.
Audience(s):	Business Decision Maker,Developer,Government,IT Professionals,Technology Decision Maker.

Duration:	60 Minutes
Start Date:	Wednesday, October 31, 2007 12:00 AM Pacific Time (US & Canada)


Event Overview
Description: Attend this webcast to understand the basics on how to download a free scanning tool and scan your image. We will also provide demonstrations by SCAP compliant security scanning software manufacturers on Enterprise scanning solutions Target Audience: Standard desktop configuration or image builders and engineers, IT Operations, Security, Help Desk and Monitoring System engineers

Microsoft FDCC Webcast Series: Importing FDCC GPOs Into Your Domain

2007-10-28T16:56:00.000-07:00

Language(s):	English.
Product(s):	Other.
Audience(s):	Business Decision Maker,Developer,Government,IT Professionals,Technology Decision Maker.

Duration:	60 Minutes
Start Date:	Sunday, October 28, 2007 12:00 AM Pacific Time (US & Canada)


Event Overview
Description: How to Download, import, and implement FDCC GPOs in Domains; tips and tricks, methods, and management. Methods for loading FDCC settings into local Group Policy. Target Audience: Standard desktop configuration builders, IT Operations (especially those managing Group Policy in Agency's environment), Security personnel

The Official, Unofficial, Federal Desktop Core Configuration [FDCC] Blog

Shavlik Security Suite Receives SCAP Validation from NIST

Federal Desktop Core Configuration Seminar

CignaCert Verify FDCC Compliance (YouTube)

Nessus: Enterprise SCAP/FDCC Audits

Lumension Security Launches SCAP-Ready Security Configuration Management Solution, Allowing Enterprises to Proactively Manage Secure Settings and Comp

Interactive:Threatguard's Secutor prime Pro

FDCC Compliance Strengthens Attachmates Federal Government Pedigree

Microsoft FDCC Webcast Series: Utility to apply FDCC settings to Local Group Policy

FDCC Resources

Resources

Microsoft FDCC Webcast Series: Scanning Your Standard Image and Systems for FDCC SCAP Compliance

Event Overview

Microsoft FDCC Webcast Series: Importing FDCC GPOs Into Your Domain

Event Overview

FDCC Compliance Strengthens Attachmates Federal Government Pedigree