Using Cisco NAC Appliance to enforce FDCC configuration

NetCraftsmen®

OMB has mandated the Federal Desktop Core Configuration (FDCC) security configuration.  NIST has a detailed set of configuration settings in an Excel spreadsheet that can be downloaded from http://fdcc.nist.gov. 

I’d like to provide an example how Cisco NAC can easily help to enforce the FDCC security configuration for a Windows XP computer.  Cisco NAC can perform checks on information contained in files, registry keys, applications, and services.  Looking at the FDCC download package, there are a number of settings that define registry key settings.  One such setting is CCE-918.  I’ve provided a screen shot of the specific line item entry below

I will be showing how to check for this setting using a Cisco NAC registry check.  The overall steps I will be showing are listed below

  1. Create check
  2. Create rule
  3. Create requirement
  4. Match requirement to rule to create a requirement-rule
  5. Match  requirement-rule to a role

Create Check

 The check is created using the registry setting shown above.  This can be accessed in the NAC configuration at “Device Management > Clean Access > Clean Access Agent > Rules > New Check”

 It’s then just a matter of filling in the registry information match the FDCC setting.  This is shown below

Create Rule 

The next step is to create the rule that the check is assigned to.  I’ll add the new check to the FDCC rule I’ve already created

Create Requirement

 The requirement provides the remediation message that is provided to the end user if the requirement is not met.  For this reason, the information should be phrased as an informational message with directions on how to fix the problem.  In the case of the FDCC settings, it will be up to an administrator to fix the problem because modifying the registry requires administrative rights.

 Match requirement to rule to create a requirement-rule

 Next, a requirement rule is created.  This defines what is checked and the remediation action that is taken if the check does not pass

 Match  requirement-rule to a role

The final step is to match the  requirement-rule to a role so that the role enforces the FDCC settings.  

Now the Employee role will require the FDCC requirements to be met before access to the network is granted

Leave a Reply