This post authored by Barry Hartmann, a Senior Consultant with Microsoft Federal... 

 

With the adoption of the Federal Desktop Core Configuration (FDCC) settings for Windows XP there needs to be given consideration for mobile use scenarios and how they are impacted by the settings.  There are several key settings that have a pronounced effect on mobile users and they should be addressed during the assessment and testing phases of FDCC implementation.

 

The key differences the FDCC settings introduce which have a negative impact are as follows:

 

·       Wireless Zero Configuration (WZC) Service is DISABLED via policy

o   This service provides the built-in capability to Windows XP to discover and connect to wireless networks.  Without the service enabled a normal user will not be able to connect to a wireless network such as those commonly found in hotels, home environments and many other places that are currently utilized by travelers, telecommuters, etc.  This can be mitigated in some cases by installing 3rd party software provided by the wireless networking device manufacturer.

·       Remote Access Connection Manager (RACM) service is DISABLED via policy

o   This service provides a foundation for VPN, RAS (dial-up) and broadband aircard functionality.  In addition to the service being turned off, the Access Control List (ACL) for the service is also modified by FDCC settings to only allow administrators to start the service. 

·       Number of cached logons

o   The FDCC settings currently limit the number of logons cached in the event of domain controller unavailability to 2.  This has the potential to be disruptive to shared devices when traveling.  Although not as critical as the above mentioned items it can significantly impact certain scenarios if not planned for

The primary mobile scenarios are (but not limited to):

 

·       Enterprise managed client machine is connected to an unmanaged network via hardwire connection for general purpose internet usage

o   This scenario is unaffected by FDCC settings

·       Enterprise managed client machine requires connection to unmanaged network via wireless network interface for general purpose internet usage

o   This scenario is affected by the disabling of the WZC service

·       Enterprise managed client machine requires connection to unmanaged network via hardwire connection and subsequent connectivity via VPN to managed network

o   This scenario is affected by the disabling (and ACL modification) of the RACM service

·       Enterprise managed client machine requires connection to unmanaged network via wireless network interface and subsequent connectivity via VPN to managed network

o   This scenario is affected by the disabling (and ACL modification) of the RACM service and disabling of the WZC service

·       Enterprise managed client machine requires connection to managed network via dial-up (RAS)

o   This scenario is affected by the disabling (and ACL modification) of the RACM service

·       Enterprise managed client machine requires connection to unmanaged network via broadband aircard (Sprint, Verizon, etc)

o   This scenario is affected by the disabling (and ACL modification) of the RACM service 

·       Multiple personnel (3 or more) require access to an enterprise client machine, including their domain profile, when the domain controller is not available (i.e. when traveling)

o   This scenario is affected by limiting the number of cached logons to 2

 

A suggested course of action would be to identify and actively manage those enterprise clients that are tagged for mobile use.  Those clients can be provide additional group policy that countermands the key FDCC settings that inhibit mobile use.  This should be a very deliberate action by network operations personnel.  Additional consideration should be given to procuring a solution that will prohibit “dual-homing” with the wired and wireless NIC devices. 

 

Ultimately the primary concern should be what the enterprise client machines were exposed to during their connectivity to unmanaged/untrusted networks.