[ISN] Feds endorse guide for Windows security

From: InfoSec News (isnat_private)
Date: Tue Jul 23 2002 - 00:17:26 PDT

  • Next message: InfoSec News: "[ISN] Symantec's SecurityFocus buyout met with pessimism"

    By Rutrell Yasin 
    July 22, 2002
    New benchmarks published last week by a broad coalition of federal and
    private organizations could vastly improve the security of systems
    throughout government agencies, experts say.
    The first step in that process is a set of security configuration
    recommendations called Consensus Baseline Security Settings for
    Microsoft Corp. Windows 2000 Professional. They are designed to help
    agencies ensure that their Windows-based workstations are properly
    configured to protect against external and internal cyberattacks.
    Moreover, this initiative could serve as a model for future benchmarks
    that could be applied to other network protocols and systems,
    proponents say.
    Predefined security settings will take some of the burden of securing
    systems off the shoulders of overworked systems administrators, who
    also may lack an in-depth knowledge of network security, said John
    Gilligan, chief information officer for the Air Force.
    "Increasingly, software products are [becoming more] complicated with
    large numbers of settings," Gilligan said. "Often, administrators have
    to set the software for security. Putting this extra burden on
    over-tasked systems administrators who don't have the proper
    [security] insight is not the way to go."
    Too often, security breaches in both the public and private sectors
    are caused by software running on network devices that have not been
    configured with appropriate security settings or lack the latest fixes
    and updates that would prevent new security vulnerabilities. About 80
    percent of the successful penetrations of government systems are due
    to attackers exploiting vulnerabilities, Gilligan said.
    The baseline security settings "give systems administrators the tools
    to implement standards that can be easily updated as they learn about
    new threats," said Richard Clarke, special adviser to the president
    for cyberspace security. The collaboration also demonstrates how the
    proposed Homeland Security Department should unfold, he added, with
    the private sector and government working together to protect the
    nation's critical infrastructures.
    Agencies can protect their systems by downloading the benchmarks, free
    of charge, from the Center for Internet Security (www.cisecurity.org).
    All Air Force installations will deploy the benchmark and scoring
    tool, Gilligan said, adding that all CIOs in the federal government
    should plan on doing so, though their participation is not mandated.
    "I would also endorse continuation of the collaboration [between
    federal agencies and the private sector] to address a broader set of
    products" for the future, he said. Results of this collaboration can
    be shared with software vendors, so off-the-shelf software will
    conform to the security baselines, he added.
    Windows lockdown
    The Consensus Baseline Security Settings for Microsoft Corp. Windows
    2000 Professional workstations were developed and endorsed by a broad
    group of Windows security experts from key government and industry
    Participants included:
    * General Services Administration
    * National Institute of Standards and Technology
    * Defense Information Systems Agency
    * National Security Agency
    * SANS Institute
    * Center for Internet Security
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 23 2002 - 02:45:00 PDT