A Pattern Emerges

In any organization, creating a consistent desktop configuration can be a challenge — even if a more secure systems environment results.

To help agencies do just that for systems running Microsoft Windows XP and Vista under the Federal Desktop Core Configuration mandate, the National Institute of Standards and Technology has created model templates. NIST Special Publication 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals updates the original SP 800-68 released in 2005 by incorporating the FDCC requirements in its list of XP security profiles.

SP 800-68 Rev 1 offers security guidelines and templates — FDCC, Legacy, Specialized Security-Limited Functionality, Enterprise and Small Office Home Office — for XP Service Pack 2 (SP2) and Service Pack 3 (SP3).

SP 800-68 Rev 1 and FDCC offer baselines for security but should never be perceived as the endgame. Like most things in IT security, these are living documents. What follows are some pointers to help ease the use of the new templates.

Root Out Insecurities

One tricky aspect is dealing with insecure protocols, such as the File Transfer Protocol, that transmit passwords in the clear. FDCC does not prohibit their use by clients, but it would be wise for IT to do so within the agency.

When requiring authentication or transmitting confidential information, it doesn’t make sense to use unencrypted protocols, such as FTP, Telnet, Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP) or Hypertext Transfer Protocol (HTTP). Instead, use their encrypted equivalents: FTP over Secure Sockets Layer (FTPS); Secure Shell (SSH); POP over SSL; SMTP over SSL; and HTTP over SSL (HTTPS). Although rarely used, FTPS is freely available on the client and server side.

On the server end, it’s possible to get FTP over SSL solutions at no additional cost, such as Microsoft FTP Publishing Service for IIS 7.0. On the client end, there are free FTPS solutions, too, such as FileZilla.

Revisit Firewall Settings

The FDCC and other security profiles in SP 800-68 could lead to firewall settings that prevent Security Content Automation Protocol scanners from being able to audit a client. The pairing of templates with SCAP lets IT track compliance, so this problem is definitely worth resolving.

To solve it, craft a fine-grained firewall policy that blocks everything by default and opens only Transmission Control Protocol Port 139, TCP Port 445, User Datagram Protocol Port 137 and UDP Port 138 to the subnet of devices that will do the scanning. This will limit your exposure to security risks. Remember: The XP and Vista firewalls let you configure very specific firewall rules, and Active Directory Group Policy lets you automate and distribute them.

Expect Compatibility Conflicts

Because FDCC and SP 800-68 call for standard user accounts for daily usage, serious application compatibility challenges can arise in XP. Many apps contain sloppily written code, and some antivirus programs even require a user to run as an administrator, which puts the user in more danger than not having that antivirus app in the first place.

Vista, which by default does not run as administrator, spurs application manufacturers to create code that doesn’t require admin rights. Even so, agencies should expect problematic apps to be part of the desktop landscape for some time to come because of the extensive legacy and homegrown programs still in use.

Not handing users administrative access is one of the most important aspects of a secure desktop, yet it’s often one of the most ignored facets of security. Why? Because not doing so can make managing a portfolio of many apps difficult. Commercial tools exist that can simplify the management of standard user accounts in XP and make permission elevation seamless for the user.