The U.S. Government Configuration Baseline (USGCB), formerly known as the Federal Desktop Core Configuration (FDCC), continues to be one of the most successful government IT programs aimed at helping to increase security, reduce costs, and accelerate the adoption of new technologies while creating a more efficiently managed desktop environment.
Deploying Windows 7 as part of your USGCB project can help streamline desktop management even more as you target improved usability for your users.
Government IT can get increased security, easier maintenance, and support for legacy applications, including:
- Improved safeguards, junk email filters, and anti-phishing features.
- Automatic scanning, expiration dates, email controls, and encrypting.
- Advanced backup to save and restore data more easily.
- Helpful support in Windows 7 Professional/Enterprise for running some older applications.
- Remote automation for repetitive tasks in Windows 7 Professional/Enterprise.
- Richer built-in troubleshooting capabilities, so you can resolve more technical issues on your own.
Users can get improved productivity across the desktop, such as:
- Faster PC startup and shutdown, even from standby, and increased battery life on mobile PCs.
- Consolidated search across your PC, the web, and the intranet from your desktop running
- New printer settings that update automatically, depending on where you log on with your computer.
- Fewer user prompts.
The USGCB mandate, issued by the Office of Management and Budget (OMB), requires federal agencies to standardize desktop configurations to meet USGCB standards. The USGCB is designed to provide a single, standard, enterprise-wide managed environment for desktops and laptops running Windows XP, Windows Vista, and Windows 7. Federal government contractor systems that interface with federal government systems are also subject to USGCB requirements.
By using a common configuration developed for the enterprise rather than using hundreds of costly, locally created configurations, the federal government can improve security, reduce costs, decrease application-compatibility issues, and speed the adoption of new technologies. Your agency can realize significant value from desktop standardization, including major operational improvements, both in the IT department and in public-facing functions, including:
- Strengthened data security.
- Streamlined management of desktop computers and other devices.
- Faster compliance with agency or government requirements and more consistent enforcement of policies.
- Reduced energy consumption.
- Seamless and secure access to data and applications—even legacy applications—from any PC.
As you plan for your USGCB compliance, you may need to address some obstacles. Among the most common:
- Your users are accustomed to running with administrator rights instead of the USGCB-directed standard user rights.
- Your organization has decentralized procurement and management of user desktops, which leads to multiple standards and configurations.
- Your line-of-business applications ignore least-privileged user access (LUA) issues, so applications fail when users log on with standard user privileges.
- You are concerned that some USGCB-mandated settings are too restrictive for your current business needs, requiring you to report deviations to the National Institute of Standards and Technology (NIST) and OMB.
Your compliance planning and implementation will vary depending on whether you are deploying the USGCB on Windows XP, Windows Vista, Windows 7, or a combination of these operating systems. The table below describes some differences between Windows XP, Windows Vista, and Windows 7 with respect to the USGCB.
Complying with the USGCB mandate is a significant undertaking, requiring you to test and deploy a standard desktop configuration across your agency and applications to meet the compliance guidelines. If you don't have the time or staff resources to allocate to this project, the Microsoft Standard Desktop Solution and Microsoft Enterprise Services can help you develop, implement, and test a standard desktop configuration that can align your agency with USGCB standards and can help reduce enterprise desktop management costs. The engagement is relatively short—typically between four and six weeks—and includes:
- Reports and decision-making support.
- Free, downloadable tools to simplify implementation and testing.
- A pilot-ready standard desktop.
To find out more about a USGCB/Windows engagement with Microsoft Enterprise Services, download the Microsoft Services Standard Desktop Solution.
|Windows Vista and Windows 7 vs. Windows XP |
Windows Vista and Windows 7
Protecting private information and support for Homeland Security Presidential Directive 12 (HSPD-12)
Online Certificate Status Protocol (OCSP) is included in Windows Vista Service Pack 1 (SP1) and Windows 7.
Windows XP requires separate OCSP client or other additional software.
Installing device drivers
Users with standard privileges can install drivers that have been preapproved by administrators (for example, from a trusted store of drivers).
Only users with administrative rights can install device drivers.
Changing time zones
Rights to change the system time and time zone are separate in Windows Vista and Windows 7, so users with standard privileges can change the time zone on their computers, when necessary, without affecting USGCB compliance.
The right to change the system time and time zone are combined, but USGCB does not allow users with standard privileges to change the system time.
Downloading and installing ActiveX controls in Windows Internet Explorer
You can configure the Windows Vista and Windows 7 ActiveX Installer Service (AxIS) in Active Directory (AD) Group Policy to allow user downloading and installation of ActiveX controls only from approved sites, which supports compliance with USGCB restrictions regarding downloading or installing ActiveX controls from any Internet zones other than intranet and Trusted Sites.
Users with standard privileges cannot install ActiveX controls at all. Organizations must plan to use other means (that is, software distribution mechanisms, such as Microsoft Systems Management Server 2003 or System Center Configuration Manager 2007) to deploy ActiveX controls.
Improving application compatibility
In the past, many applications were typically run by administrators. As a result, applications could read and write system files and registry keys freely. If standard users ran these applications, they would fail due to insufficient access.
Windows Vista and Windows 7 improve application compatibility for standard users by redirecting writes (and subsequent file or registry operations) to a per-user location within the user's profile.
For example, if an application attempts to write to C:\Program Files\Contoso\Settings.ini, and the user does not have permissions to write to that directory, the write will be redirected to C:\Users\Username \AppData\Local\VirtualStore\Program Files\Contoso\Settings.ini. For the registry, if an application attempts to write to HKEY_LOCAL_MACHINE\ Software\Contoso\, it will automatically get redirected to HKEY_CURRENT_USER\ Software\Classes\VirtualStore\MACHINE \Software\Contoso or HKEY_USERS\UserSID_Classes\VirtualStore\Machine\ Software\Contoso.