FDCC and Internet Explorer 7, Part 2 – Impact on Users

This is the second installment in a series discussing various issues regarding the intersection of Microsoft Internet Explorer 7 and the Federal Desktop Core Configuration (FDCC).  The FDCC bears close resemblance to Microsoft’s security guidance for Windows XP and Windows Vista, so this series will be of interest to any customers who are locking down…


FDCC Blog Alert: Issue with Windows Vista SP1 and GPResults

Author:           Mandy Tidwell, Senior Consultant  Applies to:      Windows Vista SP1 Setting:           Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate Symbolic Links   History:           After implementing FDCC on Windows Vista SP1, running the GPResults Wizard and navigating to Computer Configuration Policies Windows Settings Security Settings results in the following error: An error has occurred…


FDCC Blog Alert: Issue with Windows XP/Vista and IPSec

Author:           Mandy Tidwell, Senior Consultant, Microsoft Consulting Services Credit:             Jim Riekse, Consultant, Microsoft Consulting Services Applies to:      Windows XP and Windows Vista Setting:           Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this Computer from the Network is restricted to Administrators in FDCC.   Issue:               When IPSec is used to provide session security,…


Application / Certificate Performance Issues with Vista and FDCC

Summary In the process of defining the FDCC image, the National Institute of Standards (NIST) included several Federal and DoD Root and Intermediate x509 certificates in the FDCC Vista Trusted Root and Intermediate Certification Authorities stores. Several of these certificates are cross-certified. When the Vista CryptoAPI (CAPI) is called by a process (e.g. Iexplore.exe validating…


FDCC Blog Alert: Issue with Vista SP1

Author: Shelly Bird  Credit:  Syed Ismail, Ben Christenbury Applies to:  Vista SP1 alone. Setting: Microsoft Network Client: Digitally Sign communications (always) is set to Enabled in FDCC.   History: The server side settings are always ON (w2k3 SP2):   HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters                 EnableSecuritySignature [REG_DWORD] = 0x1                 RequireSecuritySignature [REG_DWORD] = 0x1   Client-side settings (Vista SP1)…


FDCC and Internet Explorer 7, Part 1: Security Zones

This multi-part series will discuss various issues regarding Microsoft Internet Explorer 7, particularly with regard to its use on Federal Desktop Core Configuration (FDCC) compliant systems.  The FDCC is based on Microsoft’s security guidance for Windows XP and Windows Vista, so this series will likely be of interest to audiences beyond those impacted by FDCC. …


Set_FDCC_LPGO v1.04 (Q3 2008) – Source code

The source code and Visual Studio project files for the Set_FDCC_LGPO Q3 2008 update are included as an attachment to this post. To build the project, you need Visual Studio 2005 and the Windows SDK. The current NIST FDCC policy files are included in the attachment; to build with updated policy files, the attachment includes…


Set_FDCC_LGPO: Updated for 2008 Q3

[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.]  Set_FDCC_LGPO is a utility that we originally released in December that applies the Group Policy Objects provided by NIST on their web site to the Local Group Policy on the Windows XP or Windows Vista computer you run the tool on. NIST recently released FDCC…


Q&A From "Using BitLocker with FDCC and FIPS" webcast

Q&A content from the “Using BitLocker with FDCC and FIPS” webcast from May 27, 2008.  The recording of the webcast may be viewed on-demand here.  Question: You may have mentioned this earlier but should FIPS be setup before or after FDCC? Answer: FIPS should be enabled and applied to the end system before BitLocker Drive…


Apply_LGPO_Delta 1.0 – source code

The source code and Visual Studio project files for the Apply_LGPO_Delta utility are included at an attachment to this post. To build the project, you need Visual Studio 2005 or 2008 and the Windows SDK. Source code is provided “AS-IS” without warranty, and is not supported by Microsoft customer support. [Attachment removed, as a newer…