Sir Bruce Mentions FDCC, World Goes Nuts

Posted May 7th, 2009 by

Check out this blog post.  Wow, all sorts of crazies decend out of the woodwork when Bruce talks about something that’s been around for years and suddenly everyone’s redesigning the desktop from the ground up.

Quick recap on comments:

  • 60-day password changes suck
  • You can do this at home, the GPOs are available from NIST
  • My blue-haired sheepdog can’t use the FDCC image, it’s broken for commercial use!
  • You wouldn’t have to do this in Linux
  • Linux is teh suxx0rz
  • My computer started beeping and smoke came out of it, is this FDCC?

Proving once again that you can’t talk about Windows desktop security without it evolving into a flamewar.  Might as well pull out “vi v/s emacs” while you’re at it, Bruce.  =)

Computer Setup photo by karindalziel.  Yes, one of them is a linux box, I used this picture for that very same reason.  =)

But there is one point that people need to understand.  The magic of FDCC is not in the fact that the Government used its IT-buying muscle to get Microsoft to cooperate.  Oh no, that’s to be expected–the guys at MS are used to working with a lot of people now on requests.

The true magic of FDCC is getting the application vendors to play along.  To wit:

  • The FDCC GPOs are freely available from NIST
  • You can download images from NIST with a preconfigured FDCC setup
  • Application vendors can test their product against FDCC in their own lab
  • There is no external audit burden (yet, it might be coming) for software vendors because it’s a self-certification
  • FDCC-compatible software doesn’t require administrative privileges

In other words, if your software works with FDCC, it’s probably built to run on a security-correct operating system in the first place.  This is a good thing, and in this case the Government is using its IT budget to bring the application vendors into some sort of minimal security to the rest of the world.

This statement is from the FDCC FAQ, comments in parenthesis are mine:

“How are vendors required to prove FDCC compliance?
There is no formal compliance process; vendors of information technology products must self-assert FDCC compliance. They are expected to ensure that their products function correctly with computers configured with the FDCC settings. The product installation process must make no changes to the FDCC settings. Applications must work with users who do not have administrative privileges, the only acceptable exception being information technology management tools. Vendors must test their products on systems configured with the FDCC settings, they must use SCAP validated tools with FDCC Scanner capability to certify their products operate correctly with FDCC configurations and do not alter FDCC settings. The OMB provided suggested language in this memo:, vendors are likely to encounter similar language when negotiating with agencies.”

So really what you get out of self-certification is something like this:

Similar Posts:

Posted in Technical | 4 Comments »

4 Responses

  1.  Darren Couch Says:

    I was thinking maybe BSD vs Linux…but what I really want to know is when the patch for laziness and indifference in our DOIM officers for end users is coming to our state. Off topic, but frustratingly close to my heart.

  2.  Darren Couch Says:

    (also my gravatar is very strange.)

  3.  Mike Nelson Says:

    Well put rybolov. I agree with your characterization of the true magic of FDCC. Procurement processes need to be robust enough to insist on vendor software that meets the criteria, and I’m concerned about the self-certification aspect.

    Also, since one size can never fit all when it comes to meeting mission requirements with a single default configuration profile, organizations need to build a trusted risk assessment and variance approval process so that local modifications are well understood and managed.

  4.  Top 3 NoVA Infosec Blog Posts of the Week | Says:

    […] you decide whether FDCC really is the holy grail of desktop security, be sure to read @rybolov’s post, as well as the initial post by Schneier, to see what the hubbub is all about. (If nothing else, […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: