Windows desktop administrative rights soon will become a thing of the past for most federal users, as the U.S. government's Federal Desktop Core Configuration (FDCC) directive takes effect on February 1.
FDCC is the new set of standard security configuration guidelines for all federal agencies that run or plan to run Windows XP and Windows Vista desktops or laptops. Contractors' Windows client machines that run on federal networks also fall under FDCC, and IT product vendors selling products with these OSes also must configure them to the FDCC specifications.
"This is definitely a move in the right direction. Even with the increase in stealthy attacks, 90 percent of attacks are still using known vulnerabilities" and many agencies aren't keeping up with those vulnerabilities, says Amrit Williams, CTO of BigFix. "This will let them assess their [desktop] environments against those configurations, then enforce them, and remediate machines."
FDCC follows a similar initiative by the U.S. Air Force, which began in 2004. Air Force officials have said that their standard, secure desktop configurations cut patch time from on average of 51 days to 72 hours, and has also lowered support and security costs dramatically, says Alan Paller, director of research for the SANS Institute. FDCC was a natural progression for the feds after the Air Force's experience: "Happier users and lower costs because you don't have to do patch testing on all different configurations, and you get better security," he says.
Among the key security requirements in FDCC, aside from disabling administrative privileges, are disabling wireless network access and running Internet Explorer 7. But the biggest change with the directive will be limiting client machines to basic user privileges rather than letting them run with administrative rights, security experts say.
Leaving admin rights on a user's desktop can invite trouble, especially with today's more targeted attacks. Malware that gets on a machine can spread more readily, as well as take over the machine -- and users are free to run apps they shouldn't. Vista comes packaged with user account protection features that let users operate mundane tasks that once required admin privileges. (See The Truth About User Privileges.)
"The elimination of admin rights is really a key linchpin of this whole effort," says John Moyer, CEO of BeyondTrust, which sells least-privilege management tools. "[FDCC] really is about enforcing a standard, secure configuration, and as part of that standard is [an end user] not logging in as an administrator so you can't change all of those settings."
But SANS's Paller disagrees. "[Removing admin rights is] important, but life won't end if you have to put it off on 10 percent of your machines for a year," he says. "You can just isolate them on a subnet," for instance, he says.
The big question will be just how dropping admin rights will affect legacy applications, for instance. "There are going to be apps that don't work," especially internally developed ones, BigFix's Williams says.
And restrictions on wireless access also could pose some challenges, although experts say they're sure the feds will find a way to get their mobile users safer wireless with options such as EVDO cards, for instance.
"The problem with FDCC won't be 'is this hardened enough?'... but the productivity hit" it will incur, BigFix's Williams says.
SANS's Paller says there will be some apps that break, but that mainly will be a problem for the application developer, not the end user. "So the apps need to be changed not to require administrative rights" to run, he says.
And FDCC only addresses securely configuring desktops and laptops -- and only Windows XP and Vista ones. But security experts say they expect the feds to eventually set standard secure configurations for servers and other devices as well.
Aside from the U.S. Air Force, which stripped admin rights off of around 500,000 end-user machines, at least one other agency also has already done so prior to the FDCC requirements: The Department of Energy's National Nuclear Security Administration site in Nevada removed admin privileges from over 3,500 client machines after ditching Novell for a Windows Active Directory environment. The DOE runs BeyondTrust's Privilege Manager, which allows users to run desktop apps and perform authorized tasks without the need for admin privileges.
"The centralized management of applications, rights, and security was in question," so we went with least user privileges, says Gilroy Freeth, senior technical analyst for Spherion Services, a contractor to the DOE site.
Freeth says this helps neutralize rootkits and malware that require elevated privileges to help them do their dirty work. And since some IT group members will obviously still need admin privileges to do their jobs, their machines will be at risk for these types of client-side attacks, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.