Microsoft Releases Super-Secure XP to US Air Force

Wired is reporting that Microsoft is releasing the most secure version of Windows XP ever created, but only if you are the US Air Force. "The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as an template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us. Security experts have been arguing for this "trickle-down" model for years. But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing."

It's not a new version, it's just a configuration.

[YesIAmAScript]

'The Air Force, on the verge of renegotiating its desktop-software contract with Microsoft, met with Ballmer and asked the company to deliver a secure configuration of Windows XP out of the box. That way, Air Force administrators wouldnâ(TM)t have to spend time re-configuring, and the department would have uniform software across the board, making it easier to control and maintain patches.'

So if you'd like to do it yourself, you can secure your XP too.

http://nvd.nist.gov/fdcc/fdcc_faq.cfm

I'm not sure super secure is the right word for this version of XP though, given that there are a lot of security features it is missing that Vista, Windows 7 and some other OSes have.

heres a demo

[FudRucker]

http://www.deanliou.com/WinRG/WinRG2.htm

Re:Autorun?

[cbiltcliffe]

Modded troll by people who don't get security.

99% secure is 100% insecure.

It doesn't matter if there are 85% less vulnerabilities than before. The fact that there are still 15% left means a targeted attack will still succeed!

All it takes is a single vulnerability, and you're security is useless.

Stop using the troll mod as a replacement for either:
"That makes me uncomfortable."
or
"I don't understand that."

Re:Obviously this can't work

[secPM_MS]

I am a security program manager at Microsoft. The article gets much of it wrong. The Air Force wanted the machines preconfigured to a secure configuration so that they did not have to do this configuration. Such configurations are not distributed to the general public because of the impact on generalized consumer useability. Microsoft always publishes a security guide which provides guidance on configuring systems for different threat environments. For example in the Windows Vista Security Guide, Chapter 5 is titled "Specialized Security - Limited Functionality". Such security guides exist for NT on.

Users are free to configure their systems for higher security. Note that doing so may limit functionality you are used to. For example, you can configure your system so that all users run as normal users (no administrative functionality). Running users as normal users is part of all security guidance. Not all XP software will run if you do this. You can set IE to high security mode by default and disable Flash, etc. Doing so breaks much of the web but is more secure. You can get security, but it will impact your user experience.

It is easier to secure Vista and 2K8 server systems.

Re:Cat out of the bag...?

[dave562]

Where do you get that they are saying XP is more secure than Vista? Another angle to consider is the one that the Air Force has been running XP for a long time and all of their applications are coded to work with XP. Microsoft took the smart route and improved what the Air Force already had instead of forcing them into an upgrade. Vista very well may be more secure than XP, and Windows 7 might be more secure than both of them.

For as long as I've been using computers, I've hated the forced upgrade cycle that Microsoft imposes on their customers. It would be nice if they would just stick to a single OS and improve it. For a lot of people, XP is good enough. It gets the job done and there isn't any reason to upgrade. If NT weren't such an insecure piece of turd, it could serve the needs of most businesses out there (just like Linux + Samba and OpenLDAP can). Having said that, I understand that a single OS isn't exactly a viable business model, unless you force people into support contracts. Given that Microsoft and Apple both charge for OS updates, I don't think that business model is going away any time soon.

Re:I bet the british wished they had this...

[anjilslaire]

let's see, Windows on hospital equipment recently got Conficker because Microsoft no longer provided security patches for Windows 2000 and NT.

Uh, no. The MS08-067 patch that addresses conficker was released for Windows 2000 at the same time as all the other OSes, with the exception of NT. http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Re:I bet the british wished they had this...

[j79zlr]

let's see, Windows on hospital equipment recently got Conficker because Microsoft no longer provided security patches for Windows 2000 and NT.

Extended support for Windows 2000 doesn't end unitl July of 2010. The patch that fixes the exploit on Win2k is here if interested.

As for NT, the long term support ended over 5 years ago.

Re:Disabling those out of the box not a bad idea

[Tacvek]

In Windows XP Embedded, you can choose which components to install, on a significantly more fine grained scale. For example, you can leave out Windows Explorer (i.e. the icons on the desktop, task bar, and File Management tool (the my computer window, etc)). I'm not sure quite how fine grained the driver selection is, but it is still far more fine-grained than tradition XP installations. You can definitely leave out unused network stacks, etc.

But for some reason few people seem to be aware of it, or choose to use it. I mean I've seen logic analyzers running standard OEM Windows XP.

Re:I'll be truly impressed

[Amouth]

it wasn't a Whooooosh.. it was truth.. and if you read it you would understand

Re:Autorun?

[DarkOx]

It depends, physical security and data security are not always comparable in that sense. Yes the obnoxious alarm and police being on the way is a problem if you need to load up 50" tv and stereo into your van while fending off the dog.

The computer paging the owner on the other hand might not be a problem. If what I want is your identity and you have a fast connection I could copy an awful lot your how directory before you could even get to a keyboard to the machine to see what is happening, or shut it down.

Changes are you know something about the targets you are going after. If I was cracking random windows boxes I would probably target *.doc*, *.xls*, whatever extension various tax software might use, and some other things under c:\documents and settings. Linux/Unix PCs and workstations same things only oo's extensions and /home.

If I were attacking cooperate platforms I would be after access databases, excel sheets, on servers with "fs" in the name. Whatever ...

You have these things scripted before you break in. These scripts can get pretty smart with a little work, probably less working the the hack itself by miles, and you can do a lots of damage in only a few seconds.

So yea detecting an breach fast is important but keeping them out in the first place probably is more import in the networked data security world than the physical world.