White House Sets Single Security Configuration For Windows Computers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications

White House Sets Single Security Configuration For Windows Computers

A White House mandate to conform to one security configuration on Windows XP and Windows Vista systems should "radically reduce" vulnerabilities.

A White House directive is forcing federal government agencies, which currently use perhaps hundreds of different security configurations, to conform to a single one that was designed by the U.S. Air Force.

The move will likely involve a great deal of work. But it could "radically reduce" the number of security holes that have been plaguing federal agencies like the Department of Homeland Security and the Department of State, according to Alan Paller, director of research at the SANS Institute.

Scott Charbo, the CIO of the Department of Homeland Security, was dragged over the coals in a Congressional hearing last week because of the number of security incidents that his agency has been suffering. Another Congressional hearing earlier this year lifted part of the veil on two major security breaches at the departments of Commerce and State last summer.

Paller said the directive could begin to dig government agencies out of the security holes they've found themselves in.

The White House memorandum focuses only on systems running Microsoft's Windows XP and Windows Vista. The single configuration must be in place by Feb. 1, 2008, according to the mandate. The president's Office of Management and Budget also mandated that software vendors must supply government agencies with applications that run on this one configuration. Any vendor contract signed after Saturday, June 30, 2007 must be in line with this new rule.

The directive, which also greatly limits the number of users who are given administrative rights, is based on a move made by the Air Force a few years ago. The military branch settled on one configuration and tested it on a 400,000-user system.

In March, the White House began sending out directives that the rest of the government, as well as military agencies, must follow suit.

The configuration, known as the Federal Desktop Core Configuration (FDCC), calls for all applications designed for the average end user to run in a standard user context, without elevated system administration privileges. This way, if a user's machine is compromised, the hacker doesn't gain administrative access to the entire network.

The configuration also calls for IT administrators to lock down services like the messenger service and the FPP publishing service, so people outside the network can't get access to that computer through those services. And it calls for certain communications channels to be encrypted. The Air Force's configuration also affects password aging, meaning administrators and users have to change their passwords every 30 days.

The FDCC also mandates that the installation, operation, maintenance, and patching of any software shall not alter the configuration settings from the approved configuration.

Keith Rhodes, chief technologist at the U.S. Government Accountability Office and the man known as the fed's top hacker, said a lack of configuration conformity has become a major security issue for all government agencies, which could be using as many as several hundred different security configurations.

"This is gotta be better than it is now," he said in an interview with InformationWeek. "Right now it's really crazy out there. There's very, very little uniformity in policy and configuration. It's the U.S. government. We've got one of everything. We've got to move to a more stable environment."

Part of Rhodes' job is to try to hack into the different government agencies. With so many different security policies and configurations in use, that just makes his job a lot easier. And if his job is easier, it's easier for the black hat hackers, as well.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
Strategies You Need to Make Digital Transformation Work
Joao-Pierre S. Ruth, Senior Writer,  11/25/2019
Commentary
Enterprise Guide to Data Privacy
Cathleen Gagne, Managing Editor, InformationWeek,  11/22/2019
News
Watch Out: 7 Digital Disruptions for IT Leaders
Jessica Davis, Senior Editor, Enterprise Apps,  11/18/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll