White House Sets Single Security Configuration For Windows Computers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

White House Sets Single Security Configuration For Windows Computers

A White House mandate to conform to one security configuration on Windows XP and Windows Vista systems should "radically reduce" vulnerabilities.

A White House directive is forcing federal government agencies, which currently use perhaps hundreds of different security configurations, to conform to a single one that was designed by the U.S. Air Force.

The move will likely involve a great deal of work. But it could "radically reduce" the number of security holes that have been plaguing federal agencies like the Department of Homeland Security and the Department of State, according to Alan Paller, director of research at the SANS Institute.

Scott Charbo, the CIO of the Department of Homeland Security, was dragged over the coals in a Congressional hearing last week because of the number of security incidents that his agency has been suffering. Another Congressional hearing earlier this year lifted part of the veil on two major security breaches at the departments of Commerce and State last summer.

Paller said the directive could begin to dig government agencies out of the security holes they've found themselves in.

The White House memorandum focuses only on systems running Microsoft's Windows XP and Windows Vista. The single configuration must be in place by Feb. 1, 2008, according to the mandate. The president's Office of Management and Budget also mandated that software vendors must supply government agencies with applications that run on this one configuration. Any vendor contract signed after Saturday, June 30, 2007 must be in line with this new rule.

The directive, which also greatly limits the number of users who are given administrative rights, is based on a move made by the Air Force a few years ago. The military branch settled on one configuration and tested it on a 400,000-user system.

In March, the White House began sending out directives that the rest of the government, as well as military agencies, must follow suit.

The configuration, known as the Federal Desktop Core Configuration (FDCC), calls for all applications designed for the average end user to run in a standard user context, without elevated system administration privileges. This way, if a user's machine is compromised, the hacker doesn't gain administrative access to the entire network.

The configuration also calls for IT administrators to lock down services like the messenger service and the FPP publishing service, so people outside the network can't get access to that computer through those services. And it calls for certain communications channels to be encrypted. The Air Force's configuration also affects password aging, meaning administrators and users have to change their passwords every 30 days.

The FDCC also mandates that the installation, operation, maintenance, and patching of any software shall not alter the configuration settings from the approved configuration.

Keith Rhodes, chief technologist at the U.S. Government Accountability Office and the man known as the fed's top hacker, said a lack of configuration conformity has become a major security issue for all government agencies, which could be using as many as several hundred different security configurations.

"This is gotta be better than it is now," he said in an interview with InformationWeek. "Right now it's really crazy out there. There's very, very little uniformity in policy and configuration. It's the U.S. government. We've got one of everything. We've got to move to a more stable environment."

Part of Rhodes' job is to try to hack into the different government agencies. With so many different security policies and configurations in use, that just makes his job a lot easier. And if his job is easier, it's easier for the black hat hackers, as well.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll