Slashdot Mirror
White House Specifies And Mandates Secure Windows
twitter writes "The Register is reporting on an effort to bring order to the wild world of Windows patching, at least in the US Federal Government. The White House has issued a directive to federal CIOs throughout the country, issuing a call for all new PCs to use a 'common secure configuration.' 'Registry settings and which services would be turned on or off by default [are specified and] the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"
The phrase "don't put all your eggs into one basket" comes to mind...
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
Comment removed based on user account deletion
Well, if there's one White House that I think might be experts on Security, it's this one
My turnips listen for the soft cry of your love
If I have learned one thing when dealing with the federal government, it is where there is a regulation there is always a way to get an exception to that regulation.
One word: Monoculture.
Yes, this might be a darn sight better than what currently exists, but having all the systems have the same configuration is just ASKING for trouble. I predict that within two years, some virus or the like which would have attacked just a department or two is going to hit a huge swath across multiple departments, instead.
Unless, of course, the federal government has figured out how to configure their systems to be entirely secure. In which cse, I'd suggest they share it with Microsoft and the rest of the systems on the internet.
I wonder why the government doesn't take such action with OSX and RedHat?
""No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista,"
I just wanted to let you know all of those people who purchased "Unsecured Version" of Vista can upgrade to the "Secure Version" for a fee, when it is released (probably in late 2009-early 2010).
Sincerely,
Steve "Monkeyman" Ballmer
Good to know the Feds are doing this for PCs.
Say good bye to Apple in the Federal workspace, Vista is getting the 'required' stamp.
http://slashdot.org/comments.pl?sid=152118&cid=127 64232
Has anyone considered if [Apple adopting Intel] is *** INTEL's *** way of diversifying, as an "off world colony of Planet Wintel"? In other words, is this a backup location in the seemingly increasingly likely implosion of the 'Win Wing" of WinTel? Nothing is "unthinkable", merely improbable.
Blustery pundits have used the phrase "national security risk" when referring to Windows. What if it were outlawed in government facilities? I have worked with LARGE corporations that 'forbade' IE on the computers. What if something unthinkable, as unthinkable as an asteroid strike is on Planet Earth, happened to Windows?
---
Don't put all yer x86's in one basket
------
And myself in 1998
The day will come when WinPlanet implodes. It happened to IBM. Hell, it happened to Apple. On that day, you will ask the reflection in your blank monitor the question, "Where do you want to go today?" [made with Mac logo]
I was there a few weeks ago and they all were using what looked like Windows 98 still. I don't think 'Vista' and 'federal agency' will be in the same sentence again for many, many years.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
...is like Unbreakable Oracle. A nice name for a marketing campaign. Something it would be nice to have. But probably a pipe dream. And it's a naming that's almost DARING people to try to break it. Not the best idea in that regard.
That said, it must be acknowledged that the federal government is actually showing some real intelligent thinking here for a change, and we should support that. "Just use whatever configuration Microsoft shipped it with" is dangerous thinking. They're looking at what services should be running, how things should be configured, etc., with a mindset of security (and not, mercifully, "ease of use"). This is a Very Good Thing.
Yeah, we can rail at "defective by design" ideas in Windows all we want, but one of the big security complaints about Microsoft OS'es is that they are NOT "Secure by default." Changing defaults doesn't get you home for security, but let's applaud a positive step, and hope Microsoft takes some note of this.
HAHAHAHAHAHAHAHAH,,,,HAHAHAHAHAHAHAAHA Secure Windows, HAHAHAHAHAHAHAHAHAHAHAHAHA
H AHAHAHA
I wonder if the spy ware/Viruses/Trojans will run on it?
HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHHAAHAHAHAH,,,,,HAHA
Sorry I cant help my self.... The government wants to secure windows.... HAHAHAHAHAHAHAHAHAHAHAHAHAAHA
The only way I know to truly secure windows is to turn it off and unplug it from the network!
HAAHAHAHAHAHAHAAH
The phrase "don't put all your eggs into one basket" comes to mind...
The net result will be identically configured computers with fewer applications, a bot maker's paradise. The comply/no-comply label give M$ more veto power over applications and that will reduce the number of applications that can be used. Everything must now be done the M$ way on Windoze, so the worst practices with the worst track record have been mandated. The identical settings are only more "secure" until someone breaks them and then they are all equally hosed.
Friends don't help friends install M$ junk.
There's a lot of talk around NASA how this will cause huge headaches for scientists and R&D folks. There are very determined efforts afoot to homogenize Windows support and configuration at all NASA centers. Will make for a great bot target, and will most likely stifle development of new technologies to support NASA missions and objectives.
Well, if there's one White House that I think might be experts on Security, it's this one.
I'm not very impressed with most of the "security" people have traded their liberty for. The failure is nowhere more apparent than the non free computing world.
Friends don't help friends install M$ junk.
If this makes most apps able to run without admin accounts it will be a step in the right direction.
Where I work, I waste half my time tweaking and proding half-assed, government-mandated, useless POS apps just for them to work without being an administrator.
It seems Windows developers will always trade end-users security to prevent permissions-issue support calls. And *ALL* of them develop and test as administrators. QA'ing with a user account is too much work.
BTW: Yes, the other half of my time is paperwork.(close to TPS reports)
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Maybe now we'll start to see a decrease of .gov and .mil boxen in the botnets...
It's a step in the right direction. A bold baby step.
Is it April 1st already?
Yes...I think the security problems caused by the monoculture can definately be solved by making the various installs of this operating system as close to identical as possible. Furthermore, we should post all of these assumed similarities somewhere that all can see.
Heh, thats not to say any other OS would do great as the defacto standard either. I'm no big fan of windows these days, but if linux or macOS were top dog they'd be the target too. I just have to question the wisdom of this logic: This isn't working, so lets do it even harder!
They are so racist, and hate muslims.
I'm going to move to germany, who are progressive enough to allow muslims to beat their wives, becuase the Koran says it's OkEeDokee.
What a bunch of cowards. That's how afraid they are of the islamic world, a judge will rule it's OK for a muslim man to abuse his wife - rather than offend the muslims.
Just like the cowards in Minnesota, who wont revoke the licenses of muslim cab drivers who refuse to pick up the blind, in blatant opposition to the ADA.
Cowardice disguised as PC. Terrorism is real, and has worked.
Quit blaming Bush for all of the countries problems, because you're too cowardly to point at the real problem.
I don't need no instructions to know how to rock!!!!
"We shall topple Saddam and Iraq will be a bulwark of^W against terror"
(waves magic wand)
"We shall put our best men (cough) in charge and New Orleans will be spared the worst from Hurricane Katrina"
(waves magic wand)
"We shall mandate that Windows be secure and it shall, simply because we say it should be so"
(waves magic wand)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Several years ago at the anti-trust trial they ridiculed the idea of someone else determining what should and shouldn't be in their Operating System. They twisted what the Intuit CEO said, saying it would result in a National Operating System Commission. Some of us thought that idea would come back to bite them some day - and this appears to be the day. It IS a good idea for the Feds to standardize on a minimum set of functions, saying what they think should be the operating system functionality (and by default, what not). Surely it is somewhat arguable, but it is a good start, with a CUSTOMER saying what their idea of an OS is.
[Search Google for >> Microsoft antitrust "national operating system commission" ]
nd this differs from standard practices in most large coroprations...how?
Yes, monocultures are "infect one, infect all." However, not knowing what's running on machines, having nonstanrard installed apps, allowing users to override security settings, etc. is a terrible idea for security as well. Not only does it usually lead to MORE possible exploit vectors, it also makes support a nightmare.
Every company of more than 500 employees I've dealt with has had a "standard" desktop image for it's software, and and restrictions about what you can do with company equipment. I'd suggest anyone suggesting this is a bad idea has no idea what supporting a large number of user machines is like. Locking down to a standard, reviewed, "secure by default" configuration is CONSIDERABLY BETTER than any plausible alternative.
It's too darn easy to say "monocultures bad!" Which is, in the abstract, true. But not when the difference between the pre-existing polyculture and the new monoculture is by removing exploit vectors present in the original polyculture. This is bad...how?
Also, at the very least, with a limited and common set of vulnerabilities, the IT staff can focus on guarding the doors they know are open, without worrying about someone coming in through the now-bricked-up window.
Not that I don't like a good MS bashing, but the government should be getting the bashing right now, not MS. The government branches/organizations should have been doing this all along, that is making every effort to ensure that their computing platforms are secure, AND comparing one vendor against another. That is how smart businesses are run. The fact that they are just now doing this is fscking scary! What compromises have already been exploited and not discovered as yet?
5 6222 and there is also help for Linux? http://books.slashdot.org/article.pl?sid=07/03/14/ 1534241
That it has been mandated to secure Windows installations and applications that run on it is in fact a step in the right direction. Now they just have to do the same with ALL other computing platforms. The NSA has a few hints on that http://it.slashdot.org/article.pl?sid=07/01/09/13
To me, this is something that should have ALREADY been done several years ago. If they manage to get through all the virus/malware attacks without suffering loss of information I'll be amazed since they are just now mandating secure computing environments??? WTF?
Support NYCountryLawyer RIAA vs People
Look, if they just don't want to use Windows why can't they say so???
Seriously, can Windows — any version — be made secure?
Dog is my co-pilot.
I was the network manager for a bank a while back, and during our audits were were given a list of registry/active directory policies required to get a good rating by those auditors. They also had a list of services that needed to be disabled as well (unless there was a compelling business case for those services).
I have to admit, the federal regulators did not ask us to do anything that I did not agree with. The only exception was changing our default SQL server port. I think that was around the slammer virus time and that was the quick fix. Unfortunately their "quick fix" turned into months of application research trying to figure out what we were going to break by changing the SQL port. I told the auditors that a quick nmap scan would reveal the new port easily.....and future worms would have that ability built-in. They made us change it anyway.
Beyond that, they also looked at our audit trail, monitoring and alerting, and our network/firewall architecture. You pretty much had to do everything they asked or you lost your FDIC insurance.
You should be glad the feds care about bank security....after all, it is your money they are protecting.
-ted
"No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"
I didnt know there was such a thing... :-)
Laugh, it was supposed to be funny!
StarTrekPhase2 - The Five Year Mission Continues!
A very Silly AC taunts:
It's the government mandating this version of Windows, not Microsoft. Reading comprehension much?
Once the settings are specified, M$ can make the system do as they please. What, do you think Uncle Sam is going to give up patch Tuesday? The whole point is to make it easier to apply patches. It won't really work, of course, because M$ and others will keep playing the same anti-competitive tricks. When an application does not work with the settings, it not Windoze is rejected.
The net result is contrary to commodity computing. The whole reason for using M$ is to gain access to cheap hardware and a universe of software. Reducing your choice in software goes a long way toward making your hardware worthless. A fancy computer that does not do the task you want it to is not doing you any good. The proposed flexibility will inevitably sink to Dell software install options and people who want to get work done with specialized programs will be forced off Windoze or suffer with second rate software on expensive hardware.
The same kind of program would not be such a disaster in the free world. First, it's easy to tell what works and upgrades are already painless. Second, if something does not work, it will be fixed quickly. Third, and most importantly, the software does not have "owners" who want to mess with other software "owners".
Friends don't help friends install M$ junk.
Yep. That's one way to look at it.
A different way to look at it is that a known, reduced configuration allows vulnerabilities to be patched (government-wide) at the lowest level possible with minimum code necessary.
I for one fucking HATE the 500MB "service packs" that are released. It is far easier to test frequent, minor changes than infrequent MASSIVE changes. And it looks as if the Federal Government is finally catching on to that fact.
#1. There is no security without physical security.
#2. Run only what you absolutely need.
#3. Run it with the minimum possible rights.
GWB and Co. live by and love security by obscurity. So, while it's mandated that software run in the most secure setup, they a) won't tell you what the settings are,
b) will slap a gag order on if you ask what the settings are because:
1) if the public were to know you asked then it could be dangerous
2) if the public were the know about yet another about which the public is not allowed to know it could be dangerous
3) if the public were to know that someone knows about yet another about which the public is not allowed to know it could be dangerous
4) if a vendor asks about the settings then they might talk with Carl Rove of Dicky C and everybody knows those blabber mouths can't keep a secret what with Carl admitting the vote fixing last fall by claiming that he had "the math", and Dick can't keep his mouth shut about CIA operatives.
and c) and get Bert to sue you if you point out that it's readily apparent that they left the most commonly hijacked ports wide open.
Nevermind that most researchers are ambivalent that Vista is actually more secure than the previous Windows XP. Nevermind that most large organizations take YEARS to adopt new operating systems - Principal Financial Services, headquartered in my town as a major employer, adopted XP 3 years after it was released! TFA is not necessarily "White House says use our secure Vista or You're Fired!" It's about standardizing the security settings on both existing XP and future Vista systems. Vista is promoted in the article because all federal databases and applications will have to run on it someday. I'll let the better geeks argue about homgeneity of systems, Vista's general health and superior security still being evaluated - and not mention the value of using MS vs the OS 'nixes. But the summary is specious. (But what else is new?)
This won't really make much difference when Manager Bill at the Social Security Administration takes a bunch of people's personal data home, to work over the weekend, and copies it over to the spyware-infested botnet zombie sitting in his home office.
How many times have you heard this from your users?
The government is now putting developers on notice. If your application needs something strange.....like administrative / root access for all who use the app, then guess what - you can't sell that application to the US government.
I'm actually happy to hear this. All users on our network run as a standard user. No one outside of our IT department gets administrative or root access....if their application requires it.....too bad.
-ted
Why don't they have a DARPA-BSD or something, so they can secure the code themselves? Can the government not afford any CS majors?
Step into a huge movement. Don't Tread In Me.
what next in the agenda? Mandate water to flow upwards? Ice to burn things? Pigs to fly?
There are rumors that such things exist, in very special cases, but is easier to see pigs fly than to see a secure windows machine.
After six years of idiocy and incompetence, it's actually amazing an intelligent, well thought out decision was made.
It must have accidentally slipped through the cracks. Now that Slashdot pointed it out, they will probably decide to "standardize" on Lunix. I'm sure their rollout would go as swimmingly as Munich's Linux rollout... or Bush's wars in Afghanistan or Iraq.
this incorrect but nevertheless pervasive presumption that the only PC os in the world is a Microsoft product.
Why don't they just switch to Linux? end of security problem.
Don't you have to finish the math before making judgment positive or negative, i.e.
25% of computers are bots -- let's say 500 million computers. What % of those run windows? Is it higher or lower than the % of *all computers that are running windows?
My turnips listen for the soft cry of your love
NIST does a very nice job specifying _how_ to harden a windows PC.
I have a feeling whomever is issuing directives at the white house hasn't bothered to check with NIST. http://csrc.nist.gov/itsec/guidance_WinXP.html
I just noticed they've got a Vista document going.
I've hardened PC's the NIST way. Most applications do very unexpected things when you least expect it.
This, by the way, is clearly the result of strenuous lobbying on Microsoft's part so early in the Vista game.
Got Trader Joe's? friendwich.com RSS feeds work now!
In terms of making "unbreakable" anything, this will be as successful as the stripe in money. Within a week of the Mint putting a plastic stripe in money, there were guys in bars demonstrating how to take said stripe back out. While that is a fairly victimless crime, demonstrating how to hack and debilitate the "government standard" vista configuration will just lead to a massive botnet as everyone (except the appropriate govt bodies, of course) has already figured out.
stuff |
Maybe this is a dumb question but it seems too obvious not to mention: If a Vista app requires one of the services the White House's "secure" Vista has turned off by default, does that mean it can't be installed (or at least shouldn't be installed if the mandate is actually followed)? How about if the application installs a new service?
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
If it's not secure and doesn't work the way they want, shouldn't they find another product, and shouldn't Microsoft be responsible for identifying and fixing these problems and not the government with our tax dollars?
Twinstiq, game news
The actual OMB memo (pdf, sorry) can be found at URL:7 -11.pdf
http://www.whitehouse.gov/omb/memoranda/fy2007/m0
The text follows:
EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
DEPUTY DIRECTOR FOR MANAGEMENT
March 22, 2007
M-07-11 / MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES
FROM: Clay Johnson / Deputy Director for Management
SUBJECT: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems
To improve information security and reduce overall IT operating costs, agencies who have Windows XP TM deployed and plan to upgrade to the VistaTM operating system, are directed to adopt the security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS).
The recent release of the VistaTM operating system provides a unique opportunity for agencies to deploy secure configurations for the first time when an operating system is released. Therefore, it is critical for all Federal agencies to put in place the proper governance structure with appropriate policies to ensure a very small number of secure configurations are allowed to be used.
DoD has worked with NIST and DHS to reach a consensus agreement on secure configurations of the VistaTM operating system, and to deploy standard secure desk tops for Windows XPTM. Information is more secure, overall network performance is improved, and overall operating costs are lower.
Agencies with these operating systems and/or plans to upgrade to these operating systems must adopt these standard security configurations by February 1, 2008. Agencies are requested to submit their draft implementation plans by May 1, 2007 at fisma@omb.eop.gov. With your endorsement we will work with your CIOs on this effort to improve our security for government information. If you have questions about this requirement, please contact Karen Evans, Administrator, E-Government and Information Technology at (202)395-1181 or at fisma@omb.eop.gov.
I paid the going retail price for a Windows screen reader and got a free Unix computer!
While this sounds like a good thing on the surface (the mere fact that they're paying attention to OS security is nice), I think it's bad for two reasons.
... what happens to all the old ones? (I sincerely hope that they get donated to schools or something)
1) It ties the entire government into Windows - and on top of that, the most expensive and resource-consuming version thereof. Think of the thousands of PCs that would have to be upgraded for Vista? Now
2) It may prevent opensource applications from achieving any traction in the US government. Unless, of course, Microsoft is willing to give them the keys to be declared "Secure/Vista Friendly" or whatever the latest gimmick certification is. Granted, the big guns like OpenOffice and Mozilla might be able to make inroads, but smaller opensource applications might be S.O.L.
So it's nice that the issue has received consideration, but it may be a rather insidious form of consideration. And that's not a good thing.
The goverment has alot of different OS's I am sure. With I am sure windows having the biggest footprint. I am also sure this is an attempt to secure the windows footptint. they should have mandated patching and security settings / levels a long time ago, and once more they should do it will all OSs in use with the goverment not just microsoft OS. but all software used by the goverment should have to conform to a standard. and that should apply accross the board. with it runs on a Nix or win.
-Nex6
Your point would be taken more seriously if you could
pluralise "virus" correctly
What if Office or IE or Lookout won't run under Secure Vista but Open Office and Firefox etc. will ? Could be an opportunity, or at the worst ( ;-) ) more secure MS apps
GEEEZ
lets start with the second goddamn line of the article
"A White House directive to federal chief information officers issued this week calls for all new Windows PC acquisitions, beginning 30 June, to use a common "secure configuration"."
You'll notice that there is no mention of Macs or Linux. That's because this only affects _new windows PC acquisitions". That means it only affects the box when you have windows on it.
"Applications (such as anti-virus, email etc) loaded onto systems remain flexible but what will be specified in the registry settings and which services would be turned on or off by default."
Look here... configuration management mandated. How about that??!
"Even more importantly, the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations."
OMFG, vendors actually have to put out products that work in secure configurations. holy crap!!! end of the goddamn world. heaven forbid we make them code securely and force them to make it work in something other than the Administrator account.
"The federal government scheme builds on the "comply or don't connect" program of the US Air Force. The principal targets are Windows XP and Vista client systems but the same ideas might be applied in Unix and Windows Servers environments over time."
Lookie there, it only applies to windows again. later on, it'll apply to windows Desktops! Not even servers. wtf is this call of monoculture I keep seeing.
Every consumer should be happy to see this, because a huge client (the biggest?) of computer hardware and software says "that's quite enough. If you can't work in our secure environment, you are going to lose a lot of business. Fix it already".
-- Who is the bigger fool? The fool or the fool who follows him? --
All along, the answer to virii, malware, hacking, and botnets was right at our fingertips. Just have the government "mandate" Windows be secure!
Ooooh better yet. Just have the government "mandate" that no one produce virii, malware or botnets and make hacking illegal!
The tough thing in software testing is to reasonably define what needs to be tested. The testing is tedious but trivial and can be subcontracted.
Seems to me that those criteria make sense. What doesn't make sense is that Microsoft chooses not to make those criteria the default configuration.
No would could've predicted the firewall would be breached...
So, that pretty much means the feds cant buy anymore windows software. Cool.
---- Booth was a patriot ----
So maybe it's not the greatest idea to have politicos making IT policy?
So let's see if even the NSA can come up with a secure configuration for windows.
(Or at least one that's secure against everybody but the NSA. B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
We will see if M$ will give them permission for their software to work. Programmers for anti-virus, Netscape, Correl, IBM and everyone but M$ have complained about issues like this in the past. M$ only wishes it had been so easy as that to get rid of those former competitors and their wish appears to have come true.
The ultimate loser is M$, of course. What will they be left with when they drive everyone else off their platform? How well paid will programmers be if their only potential employer has to give up most of their profits to M$?
Friends don't help friends install M$ junk.
Yep, ditto at NIH with this and full disk encrytion for all laptops. If you use a computer for something more than basic office tasks this becomes very problematic.
You mean NASA uses Windows for scientific applications? No wonder the think tank doesn't get any money anymore...
"People who are willing to sacrifice essential freedoms for security deserve neither freedom nor security."
B F
The AC speculates: ... they a) won't tell you what the settings are, ...
But the TFA says that one of the major points of the exercise is to give developers a common configuration to develop for and test against.
So they'll be telling all the developers - which means all the potential developers - which means everybody.
Cute idea. But the tinfoil brim got between the AC's eyes and the screen. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Now that Slashdot pointed it out, they will probably decide to "standardize" on Lunix.
The TFA says the "same idea may be applied to Unix and Windows Servers over time".
At the resolution of such press releases "Unix" would include Linux and OSX.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It will never come to pass. This is like trying to create a chorus from a sack of cats.
But it is doing what the customer wants. They want a baseline configuration and any programs that don't work with their configuration aren't allowed.
They could have gotten that and a much wider choice of applications by choosing any Linux distribution. Free software package management works. A side benefit is real security
You're trying so hard to turn this around and make it about Microsoft but they have little to do with it. This is the federal government making up these rules.
That could be, but M$ can't win for losing. It would be much harder for M$ to blame the user for M$ problems if they really told the user exactly what to do. In the end, it's all about M$ and non free software. Non free software can't be as good or work together the same way free software does. It has obvious problems and the obvious solutions are difficult or impossible.
Two solutions are code sharing and configuration control. As you and others say, a smaller code base is cheaper and more secure. Competitive pressures keep non free companies from sharing libraries and their licensing make that most obvious cost savings impossible anyway. Everyone has to reinvent every wheel or put themselves at the mercy of their non free competitors. The second most obvious cost savings measure is configuration control, but that too is impossible in the non free world. The user can flip switches, but the switches themselves will change as applications change out libraries. Without the source code, the user does not really know what the switches do anyway.
Friends don't help friends install M$ junk.
Most of what I've seen so far says "This will make them easy targets". Yet the only way I can make sense of this is as follows:
/. that everyone out there has admin rights to their work PC "because they have to" is complete rubbish - I don't think I've ever seen that).
1. Every computer has an identical OS build on it (most enterprises have something like this already in place - nobody in their right mind wants to support 100 slightly different builds).
2. That build is locked down thoroughly, so only necessary services run. (Most enterprises probably don't go quite that far, but in an environment where you're very concerned about security you might).
2a. This probably applies to local functions as well as remote services. So things like ActiveX configuration is probably nailed down as well.
3. Applications which require admin rights are verboten. (Not always very feasible in the real world right now, but high time someone put their foot down and said "if you want to sell us software, it must run as a restricted user". Certainly the assumption on
I don't see how this is any different to a policy of demanding that anything which goes directly on the Internet has all unnecessary services turned off, no unnecessary software installed and ensuring that which you do have to run is secured as much as possible - and that's generally considered best practise. What's the problem?
This is true with all federal government research. Windows is increasing becoming the only tool approved and it is getting harder to use non-windows tools. Take for example the wide ranging Navy Marine contract that specifies essentially the same solution for the receptionist desktop as on the scientist/engineering desktop. All applications have to be on the "approved" list which eliminates many instances of great open source and freeware software. It is a sad trend - they may as well nationalize Microsoft.
only works when they all have the same hardware. There is like a lot systems that need different hardware that they can't get rid of.
What is this "registry" of which you speak?
(man, I wish I could deliver that with a straight face)
..just make a standard issue 'nix distro already! SELinux or something OpenBSD based per chance? They're both already extremely secure (and not just through obscurity--though it helps).
...and now that tune will be stuck in my head all day.
Of course...I'd have to walk around saying stuff like "Learning (to use it) is half the battle" and "G. I. OOOOOOOOOOOOO--S"
In the US Air Force, this has already happened in the form of the Standard Desktop Configuration Image that we install on all PCs. This started the middle of last year.
If you want news from today, you have to come back tomorrow.
Don't you have to finish the math before making judgment positive or negative, i.e.
Yes, but that's what this tireless M$ Defender is trying to deny without actually having the nerve to say it. All you really need to know is that botnets are more prevalent of Windoze than any other platform to know that more than 1 in 4 of Windoze computers are part of a botnet. Study after study has shown the relative security of the platforms. Macthorp and his sock puppets continue to beat the "Windoze is most secure OS" drum anyway they can. Saying so directly will get you laughed at, so they are trying to build an unreasonable fear of other OS. Only the most naive of M$ users or hard headed of fanboys could equate the service records of M$ with any other software.
Friends don't help friends install M$ junk.
Who the hell promoted you from "monkeyboy?"
Your problem is that you can't distinguish between the two. But that's an issue you seem to be afflicted with anyway.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Rule 1: If if can have its programming altered in the field, it is not secure.
Rule 2: If it accepts executable instructions from any unauthorized source, it is not secure.
Rule 3: Any deviation from an assigned purpose can be considered to be a security breach.
It is difficult to have a toaster or microwave oven infected by malware or part of a botnet. You want security? Start using the "appliance" model and there will be security. A general-purpose computer that can have new programming installed is obviously a security risk and giving the user the ability to install such programming is an invitation to disaster.
1. It talks about desktop security configurations. Alan Paller from SANS talked about desktop applications, but Clay Johnson's actual memo does not.
2. It says nothing about servers.
3. There's no mention of Solaris, AIX, OS/X, Linux, BSD, VMS, or any other non-Microsoft operating system in common use.
While it's true the total number of Windows XP/Vista desktops will far outnumber all the server and non-Windows systems, by ignoring them this memo is no more of a security solution than "3 cups of flour" is a recipe for bread.
Home Basic, Home Premium, Business, Enterprise, Ultimate... There is no Vista Secure. Given the demand, how did Microsoft miss that one?
Loose lips lose spit.
There's a difference between being "pro-Microsoft" or as you succintly put it, "tireless M$ defenders", and being anti-bullshit. Your problem is that you can't distinguish between the two.
You listed three "personalities". Which one do you claim for the dedazo attack troll sock puppet?
Friends don't help friends install M$ junk.
You're the one denying that "1 in 4 computers" could include operating systems that you don't loathe and despise with every beat of your blackened, shriveled heart. Why else would you continue to link to your own comments on the subject, instead of the original, OS-agnostic source?
By the way, here's that original source article that Twitter can't bring himself to link to.
This sig intentionally left blank.
Yes, but when they really care the exceptions are circular. An obvious exception to the new Windoze lockdown is to run gnu/linux. The obvious block is to make it so most people can't do that.
Corporate welfare policies require frequent M$ license purchases. It's a pity they don't support other nice American companies like Red Hat, IBM, Novel, Mepis, Ubunto, and so on and so fort that should obviously be the low bidders.
Friends don't help friends install M$ junk.
If my work was intended to benefit society, I wouldn't want it within 10 miles of any Windows system. The best security for Windows is to not use Windows.
You know, people have the impression that people in government are lazy, doing nothing but posting on Internet message boards all day. Well, I for one am not going...
Oooh! Somebody brought donuts! BRB
Anyways, as I was saying... ah, you know what? All that sugar made me sleepy. I could use a little nap. Hell, it's Friday, I'll finish this post next week.
Are you staying 'till five? Can you clock out for me?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I thought that the CC already applies to all government desktop systems?
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Are they in a bad part of town or something? Are they going to use bars or Lexan?
The net re$ult will be identically configured computer$ with fewer application$, a bot maker'$ paradi$e. The comply/no-comply label give M$ more veto power over application$ and that will reduce the number of application$ that can be u$ed. Everything mu$t now be done the M$ way on Windoze, $o the wor$t practice$ with the wor$t track record have been mandated. The identical $etting$ are only more "$ecure" until $omeone break$ them and then they are all equally ho$ed.
I was the network manager for a bank a while back, and during our audits were were given a list of registry/active directory policies required to get a good rating by those auditors. They also had a list of services that needed to be disabled as well (unless there was a compelling business case for those services).
Did it make a difference or was it just more busy work? Did they have you get rid of IE, Outlook Express and other trouble makers that lead to propagation like this? Even if you do get rid of those applications, can you really secure the underlying software without software freedom? I know that might be difficult at first, but it's easier than the continual patch and upgrade train most companies are already on.
Friends don't help friends install M$ junk.
You're the one denying that "1 in 4 computers" could include operating systems that you don't loathe and despise with every beat of your blackened, shriveled heart.
No, I just think the botnet rate for all non M$ OS is vanishingly small. Show me a study that proves something different, you insulting pest.
Friends don't help friends install M$ junk.
The ultimate lo$er i$ M$, of cour$e. What will they be left with when they drive everyone el$e off their platform? How well paid will programmer$ be if their only potential employer ha$ to give up mo$t of their profit$ to M$?
Many shit pieces I see:
-install at the root of C:\ (users and power users have no Write perms there by default)
-are hard coded that way so you can't move them to program files.
-Change permissions of folders to Full Control for Everyone group (security.. what's that?)
-only work for the user account that installed it.
-are packaged in Installshit Quasi-MSI format that can't run Unattended or need Setup.exe
-phone home without telling you (ie Nero, MS updates, WGA)
-con you installing patches to you application that cripples a feature of the app to force you to upgrade (QuickBooks)
-come bundled with spyware/adware (Adobe Acrobat reader 5x and up)
MS and their MSI standard is not helping much:
-Setting Permission using MSI's "Lock Permissions" is a joke since it trashes and replaces existing permissions. Must use SETACL (http://setacl.sourceforge.net/) that will do inherited perms on anything
-Setting Permission on services is not doable in MSI natively (again use SETACL)
(Wise and Installshield are not helping here either, too busy changing owners)
-In any version of Windows NT, Users cannot see the calendar by double clicking the time in the system tray. (so we gave end-users Power user accounts!!)
-IE is part of the OS and runs funny with a User account
-You can't defrag HDs without being an Admin.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
The way you've shown anything that proves the estimates you continually cite as fact?
I can not state with authority that 1 in 4 computers are in a botnet, because I am citing an unscientific estimate. Likewise, you can not state with authority that 1 in 4 Windows installations are in a botnet, because you are (indirectly) citing an unscientific estimate. Not that it stops you from trying.
In fact, any time somebody asks you to cite a source for your outrageous assertions, you quickly clam up. We're still waiting for your proof that Microsoft litigated the Zaurus out of existence.
So what's it going to be, Twitter? Accountability or spite? Your choice.
This sig intentionally left blank.
The net re$ult i$ contrary to commodity computing. The whole rea$on for u$ing M$ i$ to gain acce$$ to cheap hardware and a univer$e of $oftware. Reducing your choice in $oftware goe$ a long way toward making your hardware worthle$$. A fancy computer that doe$ not do the ta$k you want it to i$ not doing you any good. The propo$ed flexibility will inevitably $ink to Dell $oftware in$tall option$ and people who want to get work done with $pecialized program$ will be forced off Windoze or $uffer with $econd rate $oftware on expen$ive hardware.
The $ame kind of program would not be $uch a di$a$ter in the free world. Fir$t, it'$ ea$y to tell what work$ and upgrade$ are already painle$$. $econd, if $omething doe$ not work, it will be fixed quickly. Third, and mo$t importantly, the $oftware doe$ not have "owner$" who want to me$$ with other $oftware "owner$".
Hey, as long as they standardize:
BUGS=OFF
everything should be just fine.
Have gnu, will travel.
Two $olution$ are code $haring and configuration control. A$ you and other$ $ay, a $maller code ba$e i$ cheaper and more $ecure. Competitive pre$$ure$ keep non free companie$ from $haring librarie$ and their licen$ing make that mo$t obviou$ co$t $aving$ impo$$ible anyway. Everyone ha$ to reinvent every wheel or put them$elve$ at the mercy of their non free competitor$. The $econd mo$t obviou$ co$t $aving$ mea$ure i$ configuration control, but that too i$ impo$$ible in the non free world. The u$er can flip $witche$, but the $witche$ them$elve$ will change a$ application$ change out librarie$. Without the $ource code, the u$er doe$ not really know what the $witche$ do anyway.
I can not state with authority that 1 in 4 computers are in a botnet, because I am citing an unscientific estimate.
I'm not asking you to better Michael Dell and Vint Cerf's estimate, I'm asking you to show me evidence of any significant gnu/linux worm. There's nothing wrong with that estimate, if you use it in rough way and that's what I've done. A one in four estimate means that they pegged their estimate around there. Based on Windoze survival time studdies, I'd say the rate is more like 95%, but you don't really care for my opinion so I'll quote Dell who has much to gain from underestimating the problem. Now, it's your turn. Go ahead and find me some news about any significant gnu/linux worm or quit wasting my time. If you can't, just adjust that 25% up by M$'s smaller than unitary share of internet connected computers because the botnet is all M$ powered.
Friends don't help friends install M$ junk.
I'm redoing my PC after scraping he hard drive clean. Things were getting weird, my wireless network card isn't as dead as I thought it was, something really wasn't right. But last time around my regular user was an administrator user, which is probably a bad idea. So this time I'm trying to do better, have an admin user to do all installing and configuring, regular user accounts I actually use to do stuff would only be limited users under XP.
:(
Hah! You can't freakin even do that. Half-Life 2 and/or Steam requires you to be an administrator for it to run. TaxCut requires you to be an administrator for it to run. How the heck am I supposed to secure my machine in a more responsible way if none of my software is allowed to run that way? WTF?
I doubt I'd be able to get this sort of Vista, even if it was decided that it was a good configuration. Considering compatibility, resource requirements, slowdowns, etc. I don't want Vista at all right now anyway, maybe in a year or two. Sucks that I can't buy a laptop with XP anymore, I should have got something before Vista Day.
Worm? What do worms have to do with botnets? Oh, I know. You've realized and accepted that Linux botnets do exist and they're not all "M$ powered". How do those 10,000 IRC zombies get pwned twit? Magic? Or operator stupidity? How many are there out there?
Funny that. You understand that all I need is a single happy internet-facing Server 2003 machine to essentially invalidate your implied connection between the "futility" of patching (didn't you call it "silly patches" a few posts ago?) Windows to the probablity of that box being in a botnet. Just one. That's it. That takes care of your beloved but risible "half life" statistics that deal in unpatched machines (circa 1999 no less), as well as your insane "M$ is to blame for everything" argument.
Reality sucks, doesn't it?
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
A "Secure Windows?" I think Bush mispoke (again) and really meant to say "Linux." Personally, I'd settle on Apple, too. Actually, I think we'd see a paradigm shifting without a clutch if anyone in government got an Apple PC...
Consider yourself spoken to.
You mean like google, amazon, etrade, or paypal http://www.netcraft.com/? Nah, I guess hackers would never consider those valuable targets.
"Be grateful for what you have. You may never know when you may lose it."
a few idiots undo all of the mandatory security settings. Then Congress informs the White House they have a problem.
Vista Secure?
ROTFLMAO!!!!!
Anyone has to have the utmost nerve to even imply that Vista could have even a remote possibility of being secure !!!!!!!!!!!!!!!!!!!!!
Why not just have all machines have zero access to the internet except via
a special proxy that converts every single website externally accessed that is
NOT part of a whitelist, to be converted at the server side into a big JPEG so that its still readable
and clickable using image maps, but there is zero html rendering/js/java. If its not part of
the good white list , its jpeged. Otherwise, its ok to pass through.
Liberty freedom are no1, not dicks in suits.
Actually, our biggest headaches came from SQL injection attacks against our internet banking application. The MS stuff never really gave us a problem thanks to many layers of security (intrusion detection, content filters, restricted internet access, anti-virus, low-default permissions....etc).
Still, an internet banking application, that was open source, may have prevented those SQL injection vulnerabilities due to many eyeballs looking at the code.
-ted