Complying with the FDCC Mandate

The initial deadline for reporting on Federal Desktop Core Configuration (FDCC) compliance has passed, yet many government agencies continue to struggle with the mandate. This is indicative of the complexity involved in driving compliance across large and intricate organizations.


	Contact an FDCC expert
	Related Links
	Microsoft FDCC deployment resources NIST FDCC site FDCC compliance and Microsoft products Microsoft Desktop Optimization Services Core infrastructure optimization self-assessment Microsoft desktop optimization federal datasheet County Agency Eases Compliance, Reduces Desktop Support by 40 Percent with Software Upgrade
	Downloads
	OMB mandate Portable Document Format file, 31 KB OMB acquisition policy Portable Document Format file, 42 KB Federal Register: Federal Acquisition Regulation (FAR) Common Security Configurations Portable Document Format file, 49 KB FDCC white paper XML Paper Specification, 5 MB
	Articles
	Federal News Radio (audio): Microsoft Program Manager Ken Page discusses the transition to Vista Government Computer News: Windows 7 could arrive with security settings ready SANS Institute: What works in implementing the U.S. National Strategy to Secure Cyberspace Government Computer News: How to get around common glitches when complying with FDCC FCW.com: Air Force desktop initiative named top cybersecurity success story
	Get Adobe Acrobat Reader
	View and generate XPS

The FDCC mandate, issued by the Office of Management and Budget (OMB), requires federal agencies to standardize desktop configurations to meet FDCC standards. FDCC is designed to provide a single, standard, enterprise-wide, managed environment for desktops and laptops running Microsoft Windows XP or Windows Vista. Federal government contractor systems that interface with federal government systems are also subject to FDCC requirements. By using a common configuration developed for the enterprise rather than hundreds of costly locally created configurations, the federal government will improve security, reduce costs, and decrease application-compatibility issues.

As good as all that sounds, you may uncover obstacles in getting there. Among the most common:

Your users are accustomed to running with administrator rights, not the FDCC-directed standard user rights.
Your organization has decentralized procurement and management of user desktops, which leads to multiple standards and configurations.
Your line of business applications ignore least user-privileged access (LUA) issues, so applications fail when users log in with standard user privileges.
You are concerned that some FDCC-mandated settings are too restrictive for your current business needs, requiring you to report FDCC deviations to the National Institute of Standards and Technology (NIST) and OMB.

Your compliance planning and implementation will vary depending on whether you are deploying the standard desktop configuration on Microsoft Windows XP, Windows Vista, or a combination. The following table describes some differences between Windows Vista and Windows XP with respect to FDCC:

Windows XP vs. Windows Vista
FDDC consideration	Microsoft Windows Vista	Microsoft Windows XP
Protecting private information and support for Homeland Security Presidential Directive (HSPD)-12	Online Certification Status Protocol (OCSP) is included in Windows Vista Service Pack 1 (SP1).	Requires separate Online Certificate Service Protocol (OCSP) client or other additional software.
Installing device drivers	Users with standard privileges can install drivers that have been preapproved by administrators (for example, from a trusted store of drivers).	Only users with administrative rights can install device drivers.
Changing time zones	Rights to change the system time and time zone are separate in Windows Vista, so users with standard privileges can change the time zone on their computers, when necessary, without affecting FDCC compliance.	The right to change the system time and time zone are combined, but FDCC does not allow users with standard privileges to change the system time.
Downloading and installing ActiveX controls in Internet Explorer	You can configure the Windows Vista ActiveX Installer Service (AxIS) in Active Directory (AD) Group Policy to allow user downloading and installation of ActiveX controls only from approved sites, which supports compliance with FDCC restrictions regarding downloading or installing ActiveX controls from any Internet zones other than intranet and Trusted Sites.	Users with standard privileges cannot install ActiveX controls at all. Organizations must plan to use other means (i.e., software distribution mechanisms such as Microsoft Systems Management Server (SMS) 2003 or System Center Configuration Manager (SCCM) (2007) to deploy ActiveX controls.
Application virtualization and compatibility	Prior to Windows Vista, many applications were typically run by administrators. As a result, applications could read and write system files and registry keys freely. If standard users ran these applications, they would fail due to insufficient access. Windows Vista improves application compatibility for standard users by redirecting writes (and subsequent file or registry operations) to a per-user location within the user's profile. For example, if an application attempts to write to C:\Program Files\Contoso\Settings.ini, and the user does not have permissions to write to that directory, the write will be redirected to C:\Users\Username \AppData\Local\VirtualStore\ Program Files\contoso\settings.ini. For the registry, if an application attempts to write to HKEY_LOCAL_MACHINE\ Software\Contoso\ it will automatically get redirected to HKEY_CURRENT_USER\ Software\Classes\VirtualStore\MACHINE \Software\Contoso or HKEY_USERS\ UserSID_Classes\VirtualStore\Machine\ Software\Contoso.

Complying with the Federal Desktop Core Configuration (FDCC) mandate is a significant undertaking, requiring you to test and deploy a standard desktop configuration across your agency and applications within a short period of time to meet the compliance guidelines.

Contact an FDCC expert

Related Link

Microsoft Desktop Optimization Services

Download

Microsoft Services Standard Desktop Solution
Portable Document Format file, 2.2 MB

Webcasts

Scanning your Standard Image and Best Practices for FDCC SCAP Compliance
Windows Media Video file, 50 min.
The Microsoft Deployment Toolkit (MDT)-Best Practices to Build an FDCC Standard Image
Windows Media Video file, 39 min.
Using the Apply_LGPO_Delta tool to customize FDCC settings in Local Group Policy
Microsoft Office Live Meeting, 60 min.

Partners

Showcase your solution

Get Adobe Acrobat Reader

If you don't have the time or staff resources to allocate to this project, the Microsoft Standard Desktop Solution and Microsoft Enterprise Services can help you develop, implement, and test a standard desktop configuration that will bring you into compliance with FDCC requirements and reduce enterprise desktop management costs. The engagement is relatively short—typically between four and six weeks—and includes reports and decision-making support; provides free, downloadable tools to simplify implementation and testing; and yields a pilot-ready standard desktop for Windows XP or Windows Vista. Microsoft Enterprise Services can also help you harden Microsoft Office systems 2003 and 2007 to be consistent with the FDCC mandate and extend FDCC benefits even further.

To find out more about an FDCC engagement with Microsoft Enterprise Services, download the Microsoft Services Standard Desktop Solution (Portable Document Format file, 2.2 MB), contact Ken Page at (301) 751-4413, or send an e-mail to msfdcc@microsoft.com.

Once you understand details and ramifications of the Federal Desktop Core Configuration (FDCC) mandate, you need to develop and deploy a plan for compliance.


	Contact an FDCC expert
	Related Links
	Microsoft FDCC deployment resources NIST FDCC site Desktop Deployment TechCenter FDCC blog on TechNet FDCC compliance and Microsoft products Core infrastructure optimization self-assessment
	Downloads
	FDCC white paper XML Paper Specification, 5 MB
	View and generate XPS

Work with your operations, security, and management teams (including branch locations if you have them) to review and analyze the required FDCC settings and determine what effects they will have on your organization. You may identify areas where you want to request exceptions.
Decide whether you will develop a new desktop image incorporating FDCC settings. Organizations who are moving from a decentralized desktop environment to a more centralized one typically find it beneficial to develop a new baseline image (based on Windows XP or Vista) as well as applying FDCC settings using group policy objects (GPOs). Organizations that have a fairly centralized and well managed desktop environment and have Microsoft Active Directory (AD) often can achieve compliance simply by applying the FDCC GPOs to computers and users within their AD environment.
If you decide to build a new operating system image, determine the operating system components or features that you will install as part of that image and build your image, GPOs, and local policy files, which you can use to secure desktop computers that are not part of an Active Directory domain.
Apply the settings in a test environment to identify and resolve or mitigate potential system or application compatibility issues caused by FDCC settings.
Submit deviations and correction plans to NIST.
Develop a production deployment plan.
Communicate the change to your IT customers.
Deploy your desktop configuration using Active Directory group policies (GPOs), enterprise management tools, such as Microsoft Systems Management Server 2007 or Systems Center Configuration Manager 2003, and/or your existing disk imaging process. We strongly recommend that you develop a pilot deployment consisting of a small number of users, so you can identify potential issues with the image, FDCC settings, and application compatibility and resolve them prior to full-scale deployment.

Microsoft provides information, tools, and troubleshooting resources to help you manage the entire process at
Microsoft FDCC deployment resources.