Slashdot Mirror

← Back to Stories (view on slashdot.org)

White House Specifies And Mandates Secure Windows

Posted by Zonk on from the on-the-up-and-up dept.

twitter writes "The Register is reporting on an effort to bring order to the wild world of Windows patching, at least in the US Federal Government. The White House has issued a directive to federal CIOs throughout the country, issuing a call for all new PCs to use a 'common secure configuration.' 'Registry settings and which services would be turned on or off by default [are specified and] the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"

7 of 242 comments (clear)

  1. Security by Mateo_LeFou · · Score: 5, Funny

    Well, if there's one White House that I think might be experts on Security, it's this one

    --
    My turnips listen for the soft cry of your love
  2. If I Have Learned One Thing... by Anonymous Coward · · Score: 5, Insightful

    If I have learned one thing when dealing with the federal government, it is where there is a regulation there is always a way to get an exception to that regulation.

  3. From TFA... by Steve--Balllmer · · Score: 5, Funny

    ""No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista,"

    I just wanted to let you know all of those people who purchased "Unsecured Version" of Vista can upgrade to the "Secure Version" for a fee, when it is released (probably in late 2009-early 2010).

    Sincerely,
    Steve "Monkeyman" Ballmer

  4. Secure Vista... by Anonymous Coward · · Score: 5, Insightful

    ...is like Unbreakable Oracle. A nice name for a marketing campaign. Something it would be nice to have. But probably a pipe dream. And it's a naming that's almost DARING people to try to break it. Not the best idea in that regard.

    That said, it must be acknowledged that the federal government is actually showing some real intelligent thinking here for a change, and we should support that. "Just use whatever configuration Microsoft shipped it with" is dangerous thinking. They're looking at what services should be running, how things should be configured, etc., with a mindset of security (and not, mercifully, "ease of use"). This is a Very Good Thing.

    Yeah, we can rail at "defective by design" ideas in Windows all we want, but one of the big security complaints about Microsoft OS'es is that they are NOT "Secure by default." Changing defaults doesn't get you home for security, but let's applaud a positive step, and hope Microsoft takes some note of this.

  5. Honesty by DoofusOfDeath · · Score: 5, Funny

    White House Specifies And Mandates Secure Windows

    Look, if they just don't want to use Windows why can't they say so???

  6. Regulated businesses already have this by zerofoo · · Score: 5, Insightful

    I was the network manager for a bank a while back, and during our audits were were given a list of registry/active directory policies required to get a good rating by those auditors. They also had a list of services that needed to be disabled as well (unless there was a compelling business case for those services).

    I have to admit, the federal regulators did not ask us to do anything that I did not agree with. The only exception was changing our default SQL server port. I think that was around the slammer virus time and that was the quick fix. Unfortunately their "quick fix" turned into months of application research trying to figure out what we were going to break by changing the SQL port. I told the auditors that a quick nmap scan would reveal the new port easily.....and future worms would have that ability built-in. They made us change it anyway.

    Beyond that, they also looked at our audit trail, monitoring and alerting, and our network/firewall architecture. You pretty much had to do everything they asked or you lost your FDIC insurance.

    You should be glad the feds care about bank security....after all, it is your money they are protecting.

    -ted

  7. That;'s one way to look at it. by khasim · · Score: 5, Insightful

    The net result will be identically configured computers with fewer applications, a bot maker's paradise.

    Yep. That's one way to look at it.

    A different way to look at it is that a known, reduced configuration allows vulnerabilities to be patched (government-wide) at the lowest level possible with minimum code necessary.

    I for one fucking HATE the 500MB "service packs" that are released. It is far easier to test frequent, minor changes than infrequent MASSIVE changes. And it looks as if the Federal Government is finally catching on to that fact.

    #1. There is no security without physical security.
    #2. Run only what you absolutely need.
    #3. Run it with the minimum possible rights.