White House Specifies And Mandates Secure Windows

twitter writes "The Register is reporting on an effort to bring order to the wild world of Windows patching, at least in the US Federal Government. The White House has issued a directive to federal CIOs throughout the country, issuing a call for all new PCs to use a 'common secure configuration.' 'Registry settings and which services would be turned on or off by default [are specified and] the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"

Re:Why don't they roll their own?

[evil_Tak]

Or perhaps some kind of security-enhanced Linux [wikipedia.org] variant...the NSA [nsa.gov] could even help develop it!

The actual OMB memo

[beetle496]

The actual OMB memo (pdf, sorry) can be found at URL:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07 -11.pdf [whitehouse.gov]

The text follows:

EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
DEPUTY DIRECTOR FOR MANAGEMENT
March 22, 2007

M-07-11 / MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES

FROM: Clay Johnson / Deputy Director for Management

SUBJECT: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems

To improve information security and reduce overall IT operating costs, agencies who have Windows XP TM deployed and plan to upgrade to the VistaTM operating system, are directed to adopt the security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS).

The recent release of the VistaTM operating system provides a unique opportunity for agencies to deploy secure configurations for the first time when an operating system is released. Therefore, it is critical for all Federal agencies to put in place the proper governance structure with appropriate policies to ensure a very small number of secure configurations are allowed to be used.

DoD has worked with NIST and DHS to reach a consensus agreement on secure configurations of the VistaTM operating system, and to deploy standard secure desk tops for Windows XPTM. Information is more secure, overall network performance is improved, and overall operating costs are lower.

Agencies with these operating systems and/or plans to upgrade to these operating systems must adopt these standard security configurations by February 1, 2008. Agencies are requested to submit their draft implementation plans by May 1, 2007 at fisma@omb.eop.gov. With your endorsement we will work with your CIOs on this effort to improve our security for government information. If you have questions about this requirement, please contact Karen Evans, Administrator, E-Government and Information Technology at (202)395-1181 or at fisma@omb.eop.gov.

Re:Hrm ...

[stuntpope]

I fail to see where the directive is mandating an all-Microsoft Windows policy for the Federal Government, as some have posted here, let alone a requirement for Vista.

From the directive, "Agencies with these operating systems and/or plans to upgrade to these operating systems must adopt these standard security configurations"

Meaning, it only applies to existing or future Windows installs. Not, "all government computers must follow this Windows' configuration" (therefore computer must run Windows).

Open Source *is* getting traction in the US government. Certainly there is a Microsoft monoculture, and it's frightening sometimes to see the ignorance that can result from it. But I have my choice of Windows or RedHat for servers, and not long ago I found documentation on the RedHat desktop on our help desk's web site. I groan about the .Net bandwagon-jumpers (like Java in the 90's), but there is diversity evident from where I sit.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I'm a bit confused here....

[mysticgoat]

The government branches/organizations should have been doing this all along, that is making every effort to ensure that their computing platforms are secure, AND comparing one vendor against another.

Many if not all of the US Federal agencies HAVE been doing this all along. Look back over slashdot for the last 2 - 4 weeks, and you'll see stories that several government agencies have declared moratoriums on updating to Vista. Other agencies are certainly doing the same thing, but managing their moratoriums more quietly.

I left USGOV service several years ago, but I can attest that the VA and other big agencies began actively managing update strategies as early as Win98. When Directors of VA hospitals suddenly found that their memos could not be read by the staff because they had been given the first of the fancy new computers with MS Office 97, and the staff were still using MS Office 4.3, IT departments across the country caught holy hell.

I laud the White House for issuing this directive. (This is the first time I can actually support a decision from the White House since Jan of 2001.) But it also reminds me of a wall plaque I once saw in Department Manager's office:

I must hurry and catch up with the others
for I am the Leader.

Re:NSA

[LO0G]

They have. It's published here [nsa.gov]

They also have guides for OSX and Solaris.