The feds weigh in on Windows security

Will the White House make a difference in computer security?

The President's Office of Management and Budget recently sent out a directive to federal chief information officers to secure their Windows PCs. In what some said could have ripple effects well beyond Washington, the White House sent out a memorandum on March 22 that instructed all federal agencies (PDF) to adopt standard security configurations for Windows XP and Windows Vista by February 1.

"If the government states that it is only going to buy systems that are more secure, that sends a terrific signal," said Larry Clinton, president of the Internet Security Alliance, a group that represents large corporate technology users. "It is a significant step. All the technology providers will now have to adapt their products to meet those standards."

Under the directive, technology providers who want to sell to the government will have to certify that their products work with specially-configured systems.

Locking down Windows PCs
The White House has ordered federal agencies to use standard security configurations on Windows XP and Windows Vista desktops by February. How are the feds going to do that? A sneak peek into the guidance:

For Windows XP:
• Use virus and spyware detection and removal utilities
• Use e-mail clients that filter spam
• Do not allow unapproved applications such as file-sharing and instant-message tools
• Run the system with limited user privileges
• Configure software to reduce exposure to threats
• Don't let Java, JavaScript and ActiveX applications launch by default

For Windows Vista:
Much of the same guidance applies, although Vista's default settings already take some of the XP tips into account. The Windows Vista Security Guide has additional technical guidelines on installation of Vista in a network.

"Common security configurations provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources," Karen Evans, an OMB administrator, wrote in a memo to federal CIOs on March 20.

According to Evans' memo, by adopting the standard configurations, federal agencies can improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity and availability of government information.

But at least one analyst described the move as just a minor development.

"On the one hand, every little thing matters; on the other hand, this is a little thing," said Pete Lindstrom, a Burton Group analyst. "Standard configurations are pretty obviously useful; global 2000 companies have been doing this for about 10 to 15 years now."

The Sans Institute, which specializes in computer security training, disagreed and instead applauded the government's move. The $65 billion that the U.S. government is putting into IT purchasing each year will be an enormous incentive for technology providers to deliver products that work on secured systems, which will also benefit users outside the government, Alan Paller, director of research at Sans, wrote on the organization's Web site.

"The benefits of this move are enormous: Common, secure configurations can help slow botnet spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money," Paller wrote.

The announcement arrives just as many developers are building applications for Vista, which means software companies can immediately work the requirements into their products, Sans said. To help technology vendors achieve this, the government plans in late April to make available copies of Windows installations based on the secure configurations.

Configurations for security installation have been developed by the National Institute of Standards and Technology, the Department of Defense, the Department of Homeland Security, Microsoft and others. The U.S. Air Force has been a guinea pig in a "comply or don't connect" program with about 575,000 computers.

Microsoft first published its Windows Vista Security Guide in November, on the same day it wrapped up work on Vista. A new version of the document was published in January after an error was discovered in the earlier release. The error could cause some of the group policy objects not to be created correctly, Microsoft has said.

A security guide for Windows XP has been available since late 2005. The recommendations in the guide include running PCs without administrator privileges, not installing peer-to-peer or instant-message applications, and preventing automatic execution of applications common on Web sites such as Java, JavaScript and ActiveX.

The guide for Vista similarly provides instructions and recommendations designed to help strengthen the security of desktop and laptop computers running the latest Microsoft operating system, which is the most secure version to date, according to the software giant.

About two-thirds of successful attacks take advantage of misconfigured PCs and servers, according to research firm Gartner. The use of secure configurations out of the box has proven to be very effective, said John Pescatore, a Gartner analyst.

"This guidance by OMB is a very good idea," Pescatore said, noting that he reviewed and similarly commented on an early version of the directive.

But Burton Group's Lindstrom reiterated that the White House move will not exactly be a boon to security in general.

He cautioned that rethinking security configuration is not a panacea. "Presumably, there were a lot of reasons to have 'insecure' desktops in the past, so you don't just wave a magic wand and make it go away," he said.

But Sans is not deterred by such skepticism. The White House directive "reflects heroic leadership in starting to fight back against cybercrime," Paller wrote.

[Commander_Spock]

"The President's Office of Management and Budget...

... recently sent out a directive to federal chief information officers to secure their Windows PCs. In what some said could have ripple effects well beyond Washington..."; therefore, SECURE "Windows PCs" (Code-Base OS/2 Warp) = NETWORK COMPUTING WITH OS/2 WARP = THE INTERNET IS THE OPERATING SYSTEM!

[Macsaresafer]

Just a Vista marketing piece.

People are unimpressed with it, so let's all pretend that Vista is
secure. That way, we can require them to buy it. Next year, we'll
require them to install Service Pack 1. The year after that, Service
Pack 2. They'll never catch on.

<sarcasm>Way to go CNET! Publish the press release with no
thought or research. Another stellar reporting job.</sarcasm>

[wolivere]

Not really

Many departments in the government are not very secure when it comes to security. Not becuase they are non intelligent or lack resources or are noobs. Many times it due to Buerocratic bungling.

Our new is near the top 10% percentile when it comes to security. And we have not had many issues over the past 4 years. All told 99.9% of our issues were internal discruntal employees.

That said, even simple changes in security, often is washed down, with impact assesments, to verify enduser functionality, performace...and so on.

Even Patch tuesday patch's even when a know exploit is running can take 30-90 days some times 1/2 a year to get permission to impliment. Dependent on a variety of circumstances.

A push from the top is what is needed to make people react.

It does not matter if its Windows, Vista, OSX, Linux...etc.

The fight first starts at policy.

That said my Linux desktop that I use, is down again, as once again a patch came through that destroyed my FGLRX drivers. So another hour down the drain to recomplie the dam drivers, and reedit xorg. So frustating to apply a needed patch reboot, to a flashing _ ....

[Penguinisto]

They already have one for XP:

The DIA has these critters called STIGs (Security Technical Implementation Guidelines) that are used and enforced throughout the US Department of Defense. They are required for any DoD-owned computer, and are also required for for any contractor computer that hosts DoD data.

See also this link:
http://iase.disa.mil/stigs/stig/

Vista prolly won't be written yet.

/P

[ckurowic]

Why would ANYONE use Windows?

Who in their right mind would want to use a computer system that
is so incredibly limited?! Its bad enough I've got to deal with
Windblows XP at work (USAF). I can't believe ANYONE likes XP or
vista or any Windows product period. Why would you want to give
up half the things that your computer can do? This is stupid! Get a
real computer like a Mac where you don't have to give up a damn
thing for security. Wake up people, wake up!

[rcrusoe]

Windows security? Never going to happen

Microsoft has been trying to make Windows reasonably secure for years,IMO, without success. The White House needs only ask any of the 3 letter security agencies to know this. None of them allow Windows computers on any of their secure networks.

And even if it was possible to make Windows secure, Federal users appear just as clueless as most others.

It was just reported that the White House Travel Office sent out birthdates, social security numbers, and passport numbers of some reporters to a ton of news bureaus.

Sounds to me like it's a case of the blind leading the blind.

http://news.com.com/2100-1001-251927.html

http://www.usnews.com/usnews/politics/washingtonwhispers/070401/an_identity_theft_waiting_to_h.htm

[Commander_Spock]

Lost/Missing Data and National Security!

Why would agencies like "the National Institute of Standards and Technology, the Department of Defense, the Department of Homeland Security, Microsoft and others..." would wish to continue to rely on computing technologies that put "sensitive" data at risk continues to be highly questionable. Have the incidents of the missing Laptop Computers with the data of hundreds of thousands of Veterans and Active Duty Service Members, missing or lost data (by several companies) of hundreds of thousands individuals' data... been forgotten already!

[n3td3v]

national security threat

the threat doesn't come from individual hackers or groups, the threat is other government with as many millions of dollars in penetrating the investment put into updating hardware and software.

it doesn't matter of the U.S government use Linux or Windows, there are super powers with the investment to counter-strike that investment and break into government networks.

i've said before and i'll say again, there is no I.T security without intelligence.

if you don't have the intelligence on potential threats and plots and know your enemy, then you can spend as much money as you like on hardware or software, its going to end in thesame story where your critical national data is compromised.

information intelligence is the real key to securing your networks... the money, the investment should be spent on investigating and spying on external powers who have the funding and ability to break your defenses no matter how much physical precautions are implemented.

if you get lone hackers breaking your security, lock them up, investigate them, they aren't the critical enemy here, its world governments and state funded terrorism is the real threat, because those guys will break your security and genuinely won't be tracable with the best forensics in your grasp.

[hadaso]

Just don't work with admin permisions!

Not browsing the web and not reading email with admin permisions is the most important step towards security. Why would anyone want to grant any website or incoming email permisions to alter one's own PC configuration (including the ability to replace components of the OS)? Yet most Windows users including users in corporate environments do it.

I don't use administrator's privileges on Windows for anything but system maintenance that requires them (such as Windows update, software instalation, scaning for malware). I have not been infected with any virus for years. (in addition I use a hardware Linux firewall - Smoothwall Express on a separate old PC - and I have email scanned for viruses using ClamAV on the server by my email provider.)

I have known people that were getting viruses every now and then and those that stopped working in an admin account also stopped getting infected.

[macmommy1228]

Just use Macs instead

Wow, that's a lot of money to spend on IT purchasing and security. I wonder how much money, time and energy would be saved if they just used Macs? I'd feel more secure about the government if Mac was the standard platform.

[castingRod47]

PC Technology..all cracked up..!

I work on my PC just about all day..I work w/large files and also Upload and COPY Files from the Internet/along the way security has always been the mystery..though I had lots(and still do)trust McAFEE there still is the Int. Opt. setting configuration..the Keyword:Productivity should exceed in some way..the security notions that this PC environment is a magical Horse in the Kingdom-falls short of actual duties over the long haul..I agree that Windows should continue to push new products into the environment(also)createing Aggressive Employees in the process..but find the angles of a Desktop over the Laptop that big "snafu" in the handleing of Information..it seems that some have the audacity to take the familiar failings and lie about what really has occured-determining the environment a place of "manipulation"..just your "run-of-the-mill" workplace environment..In a more simple sense..I personally find the loss of DATA somewhere in the "BIG" lie about competant IT rather than the resultant "where's my DATA" innocent plea for Support.

[wbenton]

What is wrong with FIPS & C2 ratings?

If FIPS & C2 isn't strong enough, they should then revamp the FIPS & C2 security.

ALL unnecessary protocols stopped.
ALL unnecessary DLL's, Programs, Drivers, etc. uninstalled.
etc. etc. etc.

No need in creating a new specification!

FWIW

[angelsfreeek]

Why put national security at the mercy of Windows?

As soon as I read up on Mac OS X (thus dispelling any misinformation I had previously had as a result of not actually KNOWING anything about Macs), and years of experience with Windows (enough said), I couldn't help but wonder why the US Government would trust their national and international issues/secrets to an OS so easily exploited. I could not imagine how disastrous it would be if extra-sensitive information were ever to be hacked out of a government PC.

Notice that I never said OS X is not exploitable (because it is), but it's not nearly as easily exploited as Windows, and that's a fact, not a fanboy-opinionated statement. Most of today's hackers are in it for the money, correct? Hacking Windows is easy, takes a short time, and gets them $$$.

Take this scenario: $10,000 on the inside of what appears to be a well-secured house, and $500 inside an extremely intricate, smash-proof puzzle box. Hackers know how to get into that house, while they don't know how to get into the puzzle box. It IS possible to open the puzzle box, but why bother when you could just get more money for less effort? Unless you're willing to spend the time and effort to get through that puzzle box just for the satisfaction of doing so and for being the first person to do so, who would want to spend the time, effort, and money to get the $500, when $10,000 can be had much more easily?

Now if the gov't used OS X, a much more robust OS, it would make much more sense, as this IS national security we're dealing with here. Yes, OS X COULD be hacked as well, but there's no such thing as an impenetrable OS. All that matters is how robust it is against such attacks.

Now, if you have no REAL long-term experience with Macs this millenium, then don't bother replying with your "oh but ur wrong you mac fan boi" comments. It's amazing how people who don't have, or have never used OS X, "know" every reason why nobody should use them. You have the Internet, is it that hard to do a little research?