Making FDCC stick
Army contractor shares secrets to deploying and maintaining Federal Desktop Core Configuration.
Last year, the White House mandated that all federal government desktop and laptop computers — including those in the Defense Department — must be configured to a set of specifications, called the Federal Desktop Core Configuration. FDCC secures computers so that users, administrators or operating systems vendors don't inadvertently compromise them with unnecessarily open settings.
While agencies scurried to set all their computers to FDCC specs last year, the work is not yet over. Administrators must now assure that the computers stay in compliance and that users don't muck around with the settings.
Chris Cormell is a project manager for L-3 Communications who oversaw the process of assuring that 14,000 Army headquarters (HQDA) desktops and laptops, including those in the Pentagon, stayed in compliance.
Getting a fleet of computers into compliance can be a significant undertaking, though one very doable, Cormell said.
When agencies across the government started deploying the FDCC settings, they found it broke a number of internal applications and other work-related tasks. Some of the settings with Internet Explorer, for instance, could not automatically be set. Some Web apps relied on Java, which FDCC did not initially permit.
In many ways, the Army was already ahead of the game when it came to getting its computers to toe the FDCC line. To keep its desktop computers and laptops under a single configuration, the service maintains a gold master of whatever version of Microsoft Windows it is using (then XP). The service periodically updates the gold master, which administrators install on all the machines. In late 2007, the Army prepared a FDCC-configured gold master.
Cormell and his team designated a set of special development group of computers, using Organization Units (OU) designation within Microsoft Active Directory. With this group, they could test the master to ensure in both met compliance and kept the local internal apps running. After adjustments were made, the company refreshed the desktops across all the HQDA OUs, well in time to meet the OMB deadline.
By using OUs to install the FDCC-compliant version of the OS across the network saved the time of having an administrator go from machine to machine with a disk to install each OS by hand.
"That way if you have to back off [from using a newly deployed OS], you can do that from one spot, rather than having to back it off from every machine," Cormell said. "It's just a smarter way of doing business."
Of course, deploying a FDCC compliant OS is only the first part of the job. You also must ensure that the machines stay in compliance — a task that can not be done by Active Directory alone.
This can be a tricky endeavor, given that some users need administrative privileges on their machines, Cormell noted. With such powers at their command, they make changes that knock their computers out of compliance. Moreover, many machines aren't always connected to the network, so updating them can only take place periodically.
To help keep the machines uniform, L-3 uses management software that keeps a pristine shadow copy of the FDCC-compliant OS on each computer. For this task, they use Persystent Technologies' Persystent Suite, which works with Microsoft Windows 2000, XP and Vista. Should a user make an unauthorized change, the software changes the rogue configuration back to the correct one the next time to computer is booted. The suite does this by referencing the shadow OS copy, which resides on a separate partition.
"Persystent creates a baseline, so users aren't changing it. If you have admin rights, you can change [a setting], but when you reboot the machine, the baseline comes back," Cormell said. "That saves you from having to constantly scan your network to make sure everyone is in compliance."
Under this scheme, only selected administrators can make changes to the baseline OS. With Persystent, each client has an embedded agent, which communicates, via Secure Socket Layer, with a central administrative server. However, the baselines OS resides on the client computer, so it can be reset even if offline. The bootup takes an additional 30 seconds or so, while the software compares the OS with the baseline, according to Jamie Cerra, Persystent senior engineer.
Despite the administrative duties, FDCC remains well worth the effort, Cormell said.
"It takes some time and development. You have to test it against your images," he said. "But there are a lot of cyberattacks happening on a day-to-day basis. We have to bring security up to the level to where we need it to be."
Note: This story was updated on Feb. 23.