[ISN] Uncle Sam's Security Vision: One Windows Configuration For All PCs

From: InfoSec News (alerts@private)
Date: Mon Jul 09 2007 - 01:31:45 PDT


By Sharon Gaudin
July 7, 2007

The U.S. Government--with it's hundreds of thousands of PCs--is pushing 
through a strategy for desktop security that most companies don't dare. 
It's moving agencies and departments from hundreds of security 
configurations for Windows XP and Vista to just one.

The move is supposed to be completed by February, when a directive from 
the White House's Office of Management and Budget goes into effect, 
forcing government agencies and military branches to conform to a 
Windows security configuration designed for the Air Force two years ago. 
As of June 30, all federal software contracts must specify that 
applications run optimally on the configuration.

The measure's sure to be met with some resistance, such as from 
government CIOs who have to spend time and budget making sure their 
legacy applications--even ones just a year or two old--run well on their 
newly configured PCs.

Yet going to a single configuration could eliminate more than 80% of 
government agencies' known PC vulnerabilities, estimates Clint Kreitner, 
CEO of the Center for Internet Security, who worked with the National 
Security Agency, the National Institute of Standards and Technology, and 
other agencies to develop the spec, known as the Federal Desktop Core 
Configuration. A single configuration would make patching easier and 
bring laggard agencies up to a higher security standard.

The Air Force implemented its single configuration between May and 
December 2006, going from several hundred configurations to one. It was 
a major effort, but now the Air Force can centrally test any changes 
against that one configuration, says Ken Heitkamp, associate director 
for life-cycle management in the Air Force's Office of Warfighting 
Integration and CIO.

Keith Rhodes, who as chief technologist at the Government Accountability 
Office is known as the feds' top hacker, says the new standard 
configuration will be a big improvement. "There's very, very little 
uniformity in policy and configuration," he says. "We've got to move to 
a more stable environment." Part of Rhodes' job is trying to hack into 
government agencies, and having so many security policies and 
configurations makes that easier since it means many machines aren't at 
their highest security level.

The FDCC spec specifies nearly 300 settings in Windows. For example, 
Windows XP's default gives the user system administration privileges, 
and that must be changed to basic privileges to limit what a hacker 
could access on a compromised machine. It calls for locking down 
services such as Windows' messenger service--intended for system 
administrators to contact end users, but which can be used by hackers to 
trick users into typing in URLs and downloading viruses--and the FTP 
publishing service. Heitkamp says the spec turns off the Gadget feature 
in Windows XP, which lets people download widgets such as stock market 
tickers. And it turns off Windows Meeting Space, a team collaboration 
capability that could open security holes, and the automatic update 
feature that lets Microsoft push out patches.

The FDCC dictates how often passwords must be changed and how long they 
must be, and how long a workstation can remain idle before being 
automatically logged off. It spells out which users have which level of 
privileges and what activities must be logged.

Patching Made Easier

This standardized configuration is going to make patching much easier, 
says Alan Paller, director of research at the SANS Institute, a security 
research and training organization. Instead of testing every patch on 
perhaps hundreds of configurations, IT administrators can test it on 
just one. An NSA study showed that proper patching and configuration 
practices would eliminate more than 80% of agencies' vulnerabilities 
from weak configurations and missing patches, says Kreitner.

This spring, eight government agencies, including the Department of 
Defense, the Treasury, and the Nuclear Regulatory Agency, got failing 
grades on the annual computer security report cards by the House 
Committee for Oversight and Government Reform. The Department of 
Homeland Security got a D. The government's overall grade: C-. Paller 
says the directive could help government agencies improve those 
unacceptable grades.

The single Windows configuration should help when hiring a contractor to 
create custom applications, says Simon Szykman, CIO of the National 
Institute of Standards and Technology. In the past, when a third party 
developed an application in its own IT environment, there was no 
guarantee it would work optimally in the agency's secure desktop 
environment. Now an IT contractor working for any government agency will 
know the configuration to optimize for.

Microsoft worked with the Air Force to develop the configuration, though 
it continues to ship Windows XP and Vista in their normal default 
settings. Mark Belk, chief technology adviser with Microsoft's Federal 
Civilian Agencies division, says it offers a set of scripts to help 
agencies configure the software more quickly.

The move comes as agencies are deciding whether and how to adopt Vista. 
The Defense Department and armed services, all of which will use the 
FDCC, already have spent more than 5,000 hours developing a consensus 
standard desktop Vista configuration for all military services. NIST CIO 
Szykman plans to roll out Vista desktops, though the agency won't do so 
until all its Windows XP PCs first meet the new standard.

Government agencies aren't starting from the same position, says James 
Flyzik, who was Treasury Department CIO and deputy assistant secretary 
for information systems from 1997 to 2002. Those with good security 
practices have a shot at making the February deadline, says Flyzik, now 
president of consulting firm the Flyzik Group. The others are less 

Will the business world embrace a single Windows security configuration? 
Some do--Cigna, the health insurance company, has a single security 
standard that sets the minimum configuration for XP desktops 
company-wide, says chief information security officer Craig Shumard. 
It'll develop a similar one for Vista. But most companies don't, for the 
same reason that any homogenized environment is tough to stick to. As 
demands change, meeting a business need or performance level looks more 
important than sticking to a standard--what Mark Shavlik, CEO of Windows 
patch facilitator Shavlik Technologies, calls "security posture drift."

It's also difficult and costly to impose uniformity on an existing 
infrastructure. But in terms of testing, patching, software deployment, 
and reimaging, standardization can save money as well as boost security, 
if companies can get past the initial push. "There's chaos out there in 
enterprise land, with systems using all kinds of different, nonstandard 
configurations, and that has got to be tightened up," says Kreitner. 
"And the Air Force has proven that it can be done." Now the rest of the 
U.S. government will test whether an organization with millions of 
employees spread around the world can also make it work.

Copyright © 2007 CMP Media LLC

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 09 2007 - 01:39:14 PDT