Slashdot Mirror
White House Specifies And Mandates Secure Windows
twitter writes "The Register is reporting on an effort to bring order to the wild world of Windows patching, at least in the US Federal Government. The White House has issued a directive to federal CIOs throughout the country, issuing a call for all new PCs to use a 'common secure configuration.' 'Registry settings and which services would be turned on or off by default [are specified and] the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"
The phrase "don't put all your eggs into one basket" comes to mind...
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
Comment removed based on user account deletion
Well, if there's one White House that I think might be experts on Security, it's this one
My turnips listen for the soft cry of your love
If I have learned one thing when dealing with the federal government, it is where there is a regulation there is always a way to get an exception to that regulation.
One word: Monoculture.
Yes, this might be a darn sight better than what currently exists, but having all the systems have the same configuration is just ASKING for trouble. I predict that within two years, some virus or the like which would have attacked just a department or two is going to hit a huge swath across multiple departments, instead.
Unless, of course, the federal government has figured out how to configure their systems to be entirely secure. In which cse, I'd suggest they share it with Microsoft and the rest of the systems on the internet.
""No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista,"
I just wanted to let you know all of those people who purchased "Unsecured Version" of Vista can upgrade to the "Secure Version" for a fee, when it is released (probably in late 2009-early 2010).
Sincerely,
Steve "Monkeyman" Ballmer
http://slashdot.org/comments.pl?sid=152118&cid=127 64232
Has anyone considered if [Apple adopting Intel] is *** INTEL's *** way of diversifying, as an "off world colony of Planet Wintel"? In other words, is this a backup location in the seemingly increasingly likely implosion of the 'Win Wing" of WinTel? Nothing is "unthinkable", merely improbable.
Blustery pundits have used the phrase "national security risk" when referring to Windows. What if it were outlawed in government facilities? I have worked with LARGE corporations that 'forbade' IE on the computers. What if something unthinkable, as unthinkable as an asteroid strike is on Planet Earth, happened to Windows?
---
Don't put all yer x86's in one basket
------
And myself in 1998
The day will come when WinPlanet implodes. It happened to IBM. Hell, it happened to Apple. On that day, you will ask the reflection in your blank monitor the question, "Where do you want to go today?" [made with Mac logo]
I was there a few weeks ago and they all were using what looked like Windows 98 still. I don't think 'Vista' and 'federal agency' will be in the same sentence again for many, many years.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
...is like Unbreakable Oracle. A nice name for a marketing campaign. Something it would be nice to have. But probably a pipe dream. And it's a naming that's almost DARING people to try to break it. Not the best idea in that regard.
That said, it must be acknowledged that the federal government is actually showing some real intelligent thinking here for a change, and we should support that. "Just use whatever configuration Microsoft shipped it with" is dangerous thinking. They're looking at what services should be running, how things should be configured, etc., with a mindset of security (and not, mercifully, "ease of use"). This is a Very Good Thing.
Yeah, we can rail at "defective by design" ideas in Windows all we want, but one of the big security complaints about Microsoft OS'es is that they are NOT "Secure by default." Changing defaults doesn't get you home for security, but let's applaud a positive step, and hope Microsoft takes some note of this.
The phrase "don't put all your eggs into one basket" comes to mind...
The net result will be identically configured computers with fewer applications, a bot maker's paradise. The comply/no-comply label give M$ more veto power over applications and that will reduce the number of applications that can be used. Everything must now be done the M$ way on Windoze, so the worst practices with the worst track record have been mandated. The identical settings are only more "secure" until someone breaks them and then they are all equally hosed.
Friends don't help friends install M$ junk.
You might need this: while(1){
printf("HA");}
Well, if there's one White House that I think might be experts on Security, it's this one.
I'm not very impressed with most of the "security" people have traded their liberty for. The failure is nowhere more apparent than the non free computing world.
Friends don't help friends install M$ junk.
If this makes most apps able to run without admin accounts it will be a step in the right direction.
Where I work, I waste half my time tweaking and proding half-assed, government-mandated, useless POS apps just for them to work without being an administrator.
It seems Windows developers will always trade end-users security to prevent permissions-issue support calls. And *ALL* of them develop and test as administrators. QA'ing with a user account is too much work.
BTW: Yes, the other half of my time is paperwork.(close to TPS reports)
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Look, if they just don't want to use Windows why can't they say so???
I was the network manager for a bank a while back, and during our audits were were given a list of registry/active directory policies required to get a good rating by those auditors. They also had a list of services that needed to be disabled as well (unless there was a compelling business case for those services).
I have to admit, the federal regulators did not ask us to do anything that I did not agree with. The only exception was changing our default SQL server port. I think that was around the slammer virus time and that was the quick fix. Unfortunately their "quick fix" turned into months of application research trying to figure out what we were going to break by changing the SQL port. I told the auditors that a quick nmap scan would reveal the new port easily.....and future worms would have that ability built-in. They made us change it anyway.
Beyond that, they also looked at our audit trail, monitoring and alerting, and our network/firewall architecture. You pretty much had to do everything they asked or you lost your FDIC insurance.
You should be glad the feds care about bank security....after all, it is your money they are protecting.
-ted
A very Silly AC taunts:
It's the government mandating this version of Windows, not Microsoft. Reading comprehension much?
Once the settings are specified, M$ can make the system do as they please. What, do you think Uncle Sam is going to give up patch Tuesday? The whole point is to make it easier to apply patches. It won't really work, of course, because M$ and others will keep playing the same anti-competitive tricks. When an application does not work with the settings, it not Windoze is rejected.
The net result is contrary to commodity computing. The whole reason for using M$ is to gain access to cheap hardware and a universe of software. Reducing your choice in software goes a long way toward making your hardware worthless. A fancy computer that does not do the task you want it to is not doing you any good. The proposed flexibility will inevitably sink to Dell software install options and people who want to get work done with specialized programs will be forced off Windoze or suffer with second rate software on expensive hardware.
The same kind of program would not be such a disaster in the free world. First, it's easy to tell what works and upgrades are already painless. Second, if something does not work, it will be fixed quickly. Third, and most importantly, the software does not have "owners" who want to mess with other software "owners".
Friends don't help friends install M$ junk.
Yep. That's one way to look at it.
A different way to look at it is that a known, reduced configuration allows vulnerabilities to be patched (government-wide) at the lowest level possible with minimum code necessary.
I for one fucking HATE the 500MB "service packs" that are released. It is far easier to test frequent, minor changes than infrequent MASSIVE changes. And it looks as if the Federal Government is finally catching on to that fact.
#1. There is no security without physical security.
#2. Run only what you absolutely need.
#3. Run it with the minimum possible rights.
Shouldnt this apply to OSes that are commercially sold? At some point I may write my own OS and release it under GPL. Should I be forced to write in functions for security, even though I am operating a car? What about embedded Linux OSes? What about FreeRTOS?
I dont think forcing OS makers to include specific functions is a step in the right direction. I think that suggesting the same is a good idea, however.
Why don't they have a DARPA-BSD or something, so they can secure the code themselves? Can the government not afford any CS majors?
Step into a huge movement. Don't Tread In Me.
what next in the agenda? Mandate water to flow upwards? Ice to burn things? Pigs to fly?
There are rumors that such things exist, in very special cases, but is easier to see pigs fly than to see a secure windows machine.
In terms of making "unbreakable" anything, this will be as successful as the stripe in money. Within a week of the Mint putting a plastic stripe in money, there were guys in bars demonstrating how to take said stripe back out. While that is a fairly victimless crime, demonstrating how to hack and debilitate the "government standard" vista configuration will just lead to a massive botnet as everyone (except the appropriate govt bodies, of course) has already figured out.
stuff |
The actual OMB memo (pdf, sorry) can be found at URL:7 -11.pdf
http://www.whitehouse.gov/omb/memoranda/fy2007/m0
The text follows:
EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
DEPUTY DIRECTOR FOR MANAGEMENT
March 22, 2007
M-07-11 / MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES
FROM: Clay Johnson / Deputy Director for Management
SUBJECT: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems
To improve information security and reduce overall IT operating costs, agencies who have Windows XP TM deployed and plan to upgrade to the VistaTM operating system, are directed to adopt the security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS).
The recent release of the VistaTM operating system provides a unique opportunity for agencies to deploy secure configurations for the first time when an operating system is released. Therefore, it is critical for all Federal agencies to put in place the proper governance structure with appropriate policies to ensure a very small number of secure configurations are allowed to be used.
DoD has worked with NIST and DHS to reach a consensus agreement on secure configurations of the VistaTM operating system, and to deploy standard secure desk tops for Windows XPTM. Information is more secure, overall network performance is improved, and overall operating costs are lower.
Agencies with these operating systems and/or plans to upgrade to these operating systems must adopt these standard security configurations by February 1, 2008. Agencies are requested to submit their draft implementation plans by May 1, 2007 at fisma@omb.eop.gov. With your endorsement we will work with your CIOs on this effort to improve our security for government information. If you have questions about this requirement, please contact Karen Evans, Administrator, E-Government and Information Technology at (202)395-1181 or at fisma@omb.eop.gov.
I paid the going retail price for a Windows screen reader and got a free Unix computer!
While this sounds like a good thing on the surface (the mere fact that they're paying attention to OS security is nice), I think it's bad for two reasons.
... what happens to all the old ones? (I sincerely hope that they get donated to schools or something)
1) It ties the entire government into Windows - and on top of that, the most expensive and resource-consuming version thereof. Think of the thousands of PCs that would have to be upgraded for Vista? Now
2) It may prevent opensource applications from achieving any traction in the US government. Unless, of course, Microsoft is willing to give them the keys to be declared "Secure/Vista Friendly" or whatever the latest gimmick certification is. Granted, the big guns like OpenOffice and Mozilla might be able to make inroads, but smaller opensource applications might be S.O.L.
So it's nice that the issue has received consideration, but it may be a rather insidious form of consideration. And that's not a good thing.
GEEEZ
lets start with the second goddamn line of the article
"A White House directive to federal chief information officers issued this week calls for all new Windows PC acquisitions, beginning 30 June, to use a common "secure configuration"."
You'll notice that there is no mention of Macs or Linux. That's because this only affects _new windows PC acquisitions". That means it only affects the box when you have windows on it.
"Applications (such as anti-virus, email etc) loaded onto systems remain flexible but what will be specified in the registry settings and which services would be turned on or off by default."
Look here... configuration management mandated. How about that??!
"Even more importantly, the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations."
OMFG, vendors actually have to put out products that work in secure configurations. holy crap!!! end of the goddamn world. heaven forbid we make them code securely and force them to make it work in something other than the Administrator account.
"The federal government scheme builds on the "comply or don't connect" program of the US Air Force. The principal targets are Windows XP and Vista client systems but the same ideas might be applied in Unix and Windows Servers environments over time."
Lookie there, it only applies to windows again. later on, it'll apply to windows Desktops! Not even servers. wtf is this call of monoculture I keep seeing.
Every consumer should be happy to see this, because a huge client (the biggest?) of computer hardware and software says "that's quite enough. If you can't work in our secure environment, you are going to lose a lot of business. Fix it already".
-- Who is the bigger fool? The fool or the fool who follows him? --
Seems to me that those criteria make sense. What doesn't make sense is that Microsoft chooses not to make those criteria the default configuration.
Many if not all of the US Federal agencies HAVE been doing this all along. Look back over slashdot for the last 2 - 4 weeks, and you'll see stories that several government agencies have declared moratoriums on updating to Vista. Other agencies are certainly doing the same thing, but managing their moratoriums more quietly.
I left USGOV service several years ago, but I can attest that the VA and other big agencies began actively managing update strategies as early as Win98. When Directors of VA hospitals suddenly found that their memos could not be read by the staff because they had been given the first of the fancy new computers with MS Office 97, and the staff were still using MS Office 4.3, IT departments across the country caught holy hell.
I laud the White House for issuing this directive. (This is the first time I can actually support a decision from the White House since Jan of 2001.) But it also reminds me of a wall plaque I once saw in Department Manager's office:
I must hurry and catch up with the others
for I am the Leader.
But it is doing what the customer wants. They want a baseline configuration and any programs that don't work with their configuration aren't allowed.
They could have gotten that and a much wider choice of applications by choosing any Linux distribution. Free software package management works. A side benefit is real security
You're trying so hard to turn this around and make it about Microsoft but they have little to do with it. This is the federal government making up these rules.
That could be, but M$ can't win for losing. It would be much harder for M$ to blame the user for M$ problems if they really told the user exactly what to do. In the end, it's all about M$ and non free software. Non free software can't be as good or work together the same way free software does. It has obvious problems and the obvious solutions are difficult or impossible.
Two solutions are code sharing and configuration control. As you and others say, a smaller code base is cheaper and more secure. Competitive pressures keep non free companies from sharing libraries and their licensing make that most obvious cost savings impossible anyway. Everyone has to reinvent every wheel or put themselves at the mercy of their non free competitors. The second most obvious cost savings measure is configuration control, but that too is impossible in the non free world. The user can flip switches, but the switches themselves will change as applications change out libraries. Without the source code, the user does not really know what the switches do anyway.
Friends don't help friends install M$ junk.
In the US Air Force, this has already happened in the form of the Standard Desktop Configuration Image that we install on all PCs. This started the middle of last year.
If you want news from today, you have to come back tomorrow.
They have. It's published here
They also have guides for OSX and Solaris.