Using Cisco NAC Appliance to enforce FDCC configuration

OMB has mandated the Federal Desktop Core Configuration (FDCC) security configuration. NIST has a detailed set of configuration settings in an Excel spreadsheet that can be downloaded from http://fdcc.nist.gov.

I’d like to provide an example how Cisco NAC can easily help to enforce the FDCC security configuration for a Windows XP computer. Cisco NAC can perform checks on information contained in files, registry keys, applications, and services. Looking at the FDCC download package, there are a number of settings that define registry key settings. One such setting is CCE-918. I’ve provided a screen shot of the specific line item entry below

I will be showing how to check for this setting using a Cisco NAC registry check. The overall steps I will be showing are listed below

Create check
Create rule
Create requirement
Match requirement to rule to create a requirement-rule
Match requirement-rule to a role

Create Check

The check is created using the registry setting shown above. This can be accessed in the NAC configuration at “Device Management > Clean Access > Clean Access Agent > Rules > New Check”

It’s then just a matter of filling in the registry information match the FDCC setting. This is shown below

Create Rule

The next step is to create the rule that the check is assigned to. I’ll add the new check to the FDCC rule I’ve already created

Create Requirement

The requirement provides the remediation message that is provided to the end user if the requirement is not met. For this reason, the information should be phrased as an informational message with directions on how to fix the problem. In the case of the FDCC settings, it will be up to an administrator to fix the problem because modifying the registry requires administrative rights.