Sidebar | How to get around common glitches when complying with FDCC
When bringing Microsoft Windows-based desktop computers into compliance with the Federal Desktop Core Configuration, administrators might find a few settings that cause problems. Fortunately, at last month's FDCC workshop held by the National Institute of Standards and Technology, David Dixon, a senior consultant on the Microsoft Federal Services FDCC Team, specified some solutions to these problems.FIPS-related glitches
FDCC mandates use of the encryption algorithms that are compliant with the Federal Information Processing Standards, which a lot of Web sites and applications do not use.PROBLEM:
FDCC forbids computers to access Web sites that do not use FIPS-compliant encryption algorithms. Secure Sockets Layer 3.0 does not use FIPS-compliant encryption.FIX:
Use Transport Layer Security 1.0, the next-generation version of SSL, when possible and report government sites that are not FIPS-compliant to the Office of Management and Budget.PROBLEM:
Terminal services are rendered inoperable by FDCC settings.
Older versions of the Remote Desktop Protocol do not use FIPS-compliant encryption. And users can't connect to Windows XP computers using RDP if the FIPS setting is enabled.FIX:
Upgrade to RDP Version 5.2 using strong encryption for Windows XP (RDP client only), Windows Server 2003 and Vista 'both can be used as an RDP client and server with FIPS enabled.
Organizations that connect to Windows XP computers using RDP for support or administration purposes will need to develop an alternative strategy.PROBLEM:
Agencies cannot use recovery passwords with Bitlocker Drive Encryption or other encryption solution that uses recovery passwords. Recovery keys may not be stored in Active Directory.FIX:
Use recovery keys and store them on secure USB drives.PROBLEM:
FDCC disables Remote Access Connection Manager (RACM), in addition to Wireless Zero Configuration, and XP and WLAN AutoConfig in Vista. All three tools help users sign on to a virtual private network, the last two wirelessly. Disabling them hinders the ability to sign on to a VPN.FIX:
Use third-party wireless client programs. Create a Group Policy Object (GPO) that enables those services for mobile users or use or develop a program that detects the absence of a wired connection and then enables wireless.PROBLEM:
FDCC limits cached domain log-ons to two accounts.
In cases where laptop PCs are shared, individuals may be locked out when the network is unavailable.FIX:
Create a GPO that increases the number of cached log-ons for computers that are shared, such as for shift work or other legitimate business purposes.ActiveX ControlsPROBLEM:
FDCC prohibits downloading signed and unsigned ActiveX controls, which are used by many Web sites accessed by federal agencies.FIX:
Package the ActiveX controls and distribute them using standard software distribution solutions such as SMS, Altiri or Tivoli.
and even Active Directory Group Policy. Vista offers the ActiveX Installer Service (AxIS), which can install ActiveX controls that have been approved by Group Policy.PROBLEM:
FDCC blocks Internet Explorer processes from installing ActiveX controls, which could impact Windows Update.FIX:
Use WSUS instead of Windows Update to deploy updates. In this case, the administrator downloads the update once, to an internal server, which allows administrators to test and approve updates before deploying them to users.
FIREWALL Although FDCC does not mandate the Windows firewall specifically, those using the Windows firewall will face issues.PROBLEM:
FDCC blocks file and print sharing. This hinders the ability to use hidden shares for administrative purposes.FIX:
Set up file servers for sharing files. For administrative tasks, create and apply policies and filter them using security groups so only administrators can use file and print sharing.PROBLEM:
Applications open a large number of ports to communicate on the network, all of which must be documented.FIX:
Create an application exception rather than a port exception in the desktop firewall.