Uncle Sam's Security Vision: One Windows Configuration For All PCs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Uncle Sam's Security Vision: One Windows Configuration For All PCs

By February, all departments and agencies are supposed to be on the same security configuration.

The U.S. government--with its hundreds of thousands of PCs--is pushing through a strategy for desktop security that most companies don't dare. It's moving agencies and departments from hundreds of security configurations for Windows XP and Vista to just one.

The move is supposed to be completed by February, when a directive from the White House's Office of Management and Budget goes into effect, forcing government agencies and military branches to conform to a Windows security configuration designed for the Air Force two years ago. As of June 30, all federal software contracts must specify that applications run optimally on the configuration.

InformationWeek Download

The measure's sure to be met with some resistance, such as from government CIOs who have to spend time and budget making sure their legacy applications--even ones just a year or two old--run well on their newly configured PCs.

The Air Force did it first -- Photo by Airman 1st Class Nathan Doza/U.S. Air Force

The Air Force did it first

Photo by Airman 1st Class Nathan Doza/U.S. Air Force
Yet going to a single configuration could eliminate more than 80% of government agencies' known PC vulnerabilities, estimates Clint Kreitner, CEO of the Center for Internet Security, who worked with the National Security Agency, the National Institute of Standards and Technology, and other agencies to develop the spec, known as the Federal Desktop Core Configuration. A single configuration would make patching easier and bring laggard agencies up to a higher security standard.

The Air Force implemented its single configuration between May and December 2006, going from several hundred configurations to one. It was a major effort, but now the Air Force can centrally test any changes against that one configuration, says Ken Heitkamp, associate director for life-cycle management in the Air Force's Office of Warfighting Integration and CIO.

Keith Rhodes, who as chief technologist at the Government Accountability Office is known as the feds' top hacker, says the new standard configuration will be a big improvement. "There's very, very little uniformity in policy and configuration," he says. "We've got to move to a more stable environment." Part of Rhodes' job is trying to hack into government agencies, and having so many security policies and configurations makes that easier since it means many machines aren't at their highest security level.

The FDCC spec specifies nearly 300 settings in Windows. For example, Windows XP's default gives the user system administration privileges, and that must be changed to basic privileges to limit what a hacker could access on a compromised machine. It calls for locking down services such as Windows' messenger service--intended for system administrators to contact end users, but which can be used by hackers to trick users into typing in URLs and downloading viruses--and the FTP publishing service. Heitkamp says the spec turns off the Gadget feature in Windows XP, which lets people download widgets such as stock market tickers. And it turns off Windows Meeting Space, a team collaboration capability that could open security holes, and the automatic update feature that lets Microsoft push out patches.

The FDCC dictates how often passwords must be changed and how long they must be, and how long a workstation can remain idle before being automatically logged off. It spells out which users have which level of privileges and what activities must be logged.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll