Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 02/18/08 issue

Standard problems

Sidebar | How to get around common glitches when complying with FDCC

By Joab Jackson and Jason Miller

When bringing Microsoft Windows-based desktop computers into compliance with the Federal Desktop Core Configuration, administrators might find a few settings that cause problems. Fortunately, at last month’s FDCC workshop held by the National Institute of Standards and Technology, David Dixon, a senior consultant on the Microsoft Federal Services FDCC Team, specified some solutions to these problems.

FIPS-related glitches

FDCC mandates use of the encryption algorithms that are compliant with the Federal Information Processing Standards, which a lot of Web sites and applications do not use.

PROBLEM: FDCC forbids computers to access Web sites that do not use FIPS-compliant encryption algorithms. Secure Sockets Layer 3.0 does not use FIPS-compliant encryption.

FIX: Use Transport Layer Security 1.0, the next-generation version of SSL, when possible and report government sites that are not FIPS-compliant to the Office of Management and Budget.

PROBLEM: Terminal services are rendered inoperable by FDCC settings.

Older versions of the Remote Desktop Protocol do not use FIPS-compliant encryption. And users can’t connect to Windows XP computers using RDP if the FIPS setting is enabled.

FIX: Upgrade to RDP Version 5.2 using strong encryption for Windows XP (RDP client only), Windows Server 2003 and Vista —both can be used as an RDP client and server with FIPS enabled.

Organizations that connect to Windows XP computers using RDP for support or administration purposes will need to develop an alternative strategy.

PROBLEM: Agencies cannot use recovery passwords with Bitlocker Drive Encryption or other encryption solution that uses recovery passwords. Recovery keys may not be stored in Active Directory.

FIX: Use recovery keys and store them on secure USB drives.

PROBLEM: FDCC disables Remote Access Connection Manager (RACM), in addition to Wireless Zero Configuration, and XP and WLAN AutoConfig in Vista. All three tools help users sign on to a virtual private network, the last two wirelessly. Disabling them hinders the ability to sign on to a VPN.

More news on related topics: Communications / Networks, IT Security, Enterprise Architecture, IT Management



GCN Popup