JANUARY 24, 2008 | 5:35 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Windows desktop administrative rights soon will become a thing of the past for most federal users, as the U.S. government's Federal Desktop Core Configuration (FDCC) directive takes effect on February 1.
FDCC is the new set of standard security configuration
guidelines for all federal agencies that run or plan to run Windows XP
and Windows Vista desktops or laptops. Contractors' Windows client
machines that run on federal networks also fall under FDCC, and IT
product vendors selling products with these OSes also must configure
them to the FDCC specifications.
"This is definitely a move in the right direction. Even with the
increase in stealthy attacks, 90 percent of attacks are still using
known vulnerabilities" and many agencies aren't keeping up with those
vulnerabilities, says Amrit Williams, CTO of BigFix. "This will let
them assess their [desktop] environments against those configurations,
then enforce them, and remediate machines."
FDCC follows a similar initiative by the U.S. Air Force, which
began in 2004. Air Force officials have said that their standard,
secure desktop configurations cut patch time from on average of 51 days
to 72 hours, and has also lowered support and security costs
dramatically, says Alan Paller, director of research for the SANS
Institute. FDCC was a natural progression for the feds after the Air
Force's experience: "Happier users and lower costs because you don't
have to do patch testing on all different configurations, and you get
better security," he says.
Among the key security requirements in FDCC, aside from disabling
administrative privileges, are disabling wireless network access and
running Internet Explorer 7. But the biggest change with the directive
will be limiting client machines to basic user privileges rather than
letting them run with administrative rights, security experts say.
Leaving admin rights on a user's desktop can invite trouble,
especially with today's more targeted attacks. Malware that gets on a
machine can spread more readily, as well as take over the machine --
and users are free to run apps they shouldn't. Vista comes packaged
with user account protection features that let users operate mundane
tasks that once required admin privileges. (See The Truth About User Privileges.)
"The elimination of admin rights is really a key linchpin of this
whole effort," says John Moyer, CEO of BeyondTrust, which sells
least-privilege management tools. "[FDCC] really is about enforcing a
standard, secure configuration, and as part of that standard is [an end
user] not logging in as an administrator so you can't change all of
those settings."
But SANS's Paller disagrees. "[Removing admin rights is]
important, but life won't end if you have to put it off on 10 percent
of your machines for a year," he says. "You can just isolate them on a
subnet," for instance, he says.
The big question will be just how dropping admin rights will
affect legacy applications, for instance. "There are going to be apps
that don't work," especially internally developed ones, BigFix's
Williams says.
And restrictions on wireless access also could pose some
challenges, although experts say they're sure the feds will find a way
to get their mobile users safer wireless with options such as EVDO
cards, for instance.
"The problem with FDCC won't be 'is this hardened enough?'... but the productivity hit" it will incur, BigFix's Williams says.
SANS's Paller says there will be some apps that break, but that
mainly will be a problem for the application developer, not the end
user. "So the apps need to be changed not to require administrative
rights" to run, he says.
And FDCC only addresses securely configuring desktops and laptops
-- and only Windows XP and Vista ones. But security experts say they
expect the feds to eventually set standard secure configurations for
servers and other devices as well.
Aside from the U.S. Air Force, which stripped admin rights off of
around 500,000 end-user machines, at least one other agency also has
already done so prior to the FDCC requirements: The Department of
Energy's National Nuclear Security Administration site in Nevada
removed admin privileges from over 3,500 client machines after ditching
Novell for a Windows Active Directory environment. The DOE runs
BeyondTrust's Privilege Manager, which allows users to run desktop apps
and perform authorized tasks without the need for admin privileges.
"The centralized management of applications, rights, and security
was in question," so we went with least user privileges, says Gilroy
Freeth, senior technical analyst for Spherion Services, a contractor to
the DOE site.
Freeth says this helps neutralize rootkits and malware that
require elevated privileges to help them do their dirty work. And since
some IT group members will obviously still need admin privileges to do
their jobs, their machines will be at risk for these types of
client-side attacks, he says.
|