White House Sets Single Security Configuration For Windows Computers

A White House mandate to conform to one security configuration on Windows XP and Windows Vista systems should "radically reduce" vulnerabilities.
"One reason we're succeeding in our [penetration] testing is because there's no conformity," he explained. "Everything is set up willy nilly. There's no uniform implementation of firewall policies, router settings, password rules."

Paller also noted that with so many different security configurations, many are bound to be weaker than others, and that creates gaping holes in government IT safeguards.

A multitude of security configurations also leads to big problems when it comes to patching vulnerabilities in applications. Every single configuration has to be tested before a patch can be installed, said Paller. That can slow down the patching process, leaving systems vulnerable to hackers that might try to take advantage of the unpatched bugs.

So why are there so many different security configurations to begin with?

It's simple, said Paller. Different IT managers have different ideas about how the configurations should be set up so there are great differences agency to agency and even within the same agencies. The software vendors also are part of the problem, since they often develop applications based on different configurations.

"No one has been able to decide how to configure their own system because the application vendors forced them [into different configurations]," said Paller, noting that government contracts generally add up to about 20% of most major vendors' sales. "That's over. The application vendors must conform if they want to sell to the government."

While software vendors like Microsoft will have to change their application development process, government CIOs and chief security officers also are looking at a big job.

IT managers at the embattled agencies will have to bring all of their different systems into compliance, and deal with how that will affect all of the applications running on the systems. According to Rhodes, it's obviously going to cause some problems -- on top of the ones they're already dealing with.

"It's going to be tough," he said. "They have to inventory everything they have. First, that will be brute force pick-and-shovel stuff. Once you do a uniform reconfiguration, a lot of the unique or custom-made applications will break because you changed the underlying configuration. Maybe the software is talking to a particular application suite or a database and you've just altered the permissions in its environment."

While Rhodes pointed out that a lot of these custom-made applications are critical to the enterprise, Paller noted that other applications also may struggle with the new configuration. And he's not talking about just the 10- or 20-year-old applications. He's talking about major software pieces that were bought just two years ago, as well.

"It's a big job but in general, the guys struggling to keep up are the guys struggling with patches and testing," said Paller. "You're reducing the load on testing patches and the time the help desk spends with people because now they'll know what configuration they're on. It's a good thing that should radically reduce the pain."

Rhodes agreed that after all the work is behind the IT managers, government agencies should be safer for it. "What this will do is take away the egregious problems," he said. "It will be a step in the right direction."