The Office of Management and Budget recently released new configuration guidelines for Windows XP and Vista that all Federal agencies need to adopt by February 1, 2008. The guidelines are known as the "Federal Desktop Core Configurations" (FDCC) and have been published as part of the NIST Security Content Automation Protocol (SCAP) program.
Tenable has published two new audit files for Nessus Direct Feed and Security Center users to audit Windows systems against these required configurations settings. The polices are available for download from the Tenable Support Portal by clicking on the 'Downloads' button, and then the 'Download NIST Compliance Audit Policies' button. These policies are available alongside other audit policies based on existing NIST SCAP content for Windows XP Pro and Windows 2003 operating systems.
To use these policies, Security Center users should download these audit files and place them in their /opt/sc3/admin/nasl directory and then make them part of new or existing Vulnerability Polices. Nessus Direct Feed users should download these policies to the system they are operating the Nessus client from and add them to new or existing Nessus scan policies.
A short video of the Security Center being used for a NIST compliance audit against a Windows 2003 server is available here. A short video of Nessus being used to scan for NIST compliance is also available here.
For more information about Tenable's support of NIST configuration auditing standards, please consider these previous blog entries:
- NIST Audit Policies for Nessus 3
- CVSS Version 2 Scoring With Nessus and the Passive Vulnerabiltiy Scanner