White House Specifies And Mandates Secure Windows

twitter writes "The Register is reporting on an effort to bring order to the wild world of Windows patching, at least in the US Federal Government. The White House has issued a directive to federal CIOs throughout the country, issuing a call for all new PCs to use a 'common secure configuration.' 'Registry settings and which services would be turned on or off by default [are specified and] the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"

Heh

[Ethelred Unraed]

The phrase "don't put all your eggs into one basket" comes to mind...

Cheers,

Ethelred

Re:Heh

[jimstapleton]

I would have added "All applications must run in Wine under BSD or Linux", or have a version in BSD or Linux, to the requirements to prevent lock-in

If I Have Learned One Thing...

[Anonymous Coward]

If I have learned one thing when dealing with the federal government, it is where there is a regulation there is always a way to get an exception to that regulation.

Yikes!

[martyb]

One word: Monoculture.

Yes, this might be a darn sight better than what currently exists, but having all the systems have the same configuration is just ASKING for trouble. I predict that within two years, some virus or the like which would have attacked just a department or two is going to hit a huge swath across multiple departments, instead.

Unless, of course, the federal government has figured out how to configure their systems to be entirely secure. In which cse, I'd suggest they share it with Microsoft and the rest of the systems on the internet.

Re:Heh

[Anonymous Coward]

To be fair they are mandating specific Windows configurations for systems running Windows. They are not mandating the use of Windows (or course a lot of gov system do for other reasons...).

Re:Security

[eln]

Actually, this White House seems to champion the idea of "security through obscurity," which puts them right in line with Microsoft's idea of security. This should work out well.

So long Apple

[Anonymous Coward]

Good to know the Feds are doing this for PCs.

Say good bye to Apple in the Federal workspace, Vista is getting the 'required' stamp.

Quoting myself

[starglider29a]

http://slashdot.org/comments.pl?sid=152118&cid=127 64232 [slashdot.org]

Has anyone considered if [Apple adopting Intel] is *** INTEL's *** way of diversifying, as an "off world colony of Planet Wintel"? In other words, is this a backup location in the seemingly increasingly likely implosion of the 'Win Wing" of WinTel? Nothing is "unthinkable", merely improbable.

Blustery pundits have used the phrase "national security risk" when referring to Windows. What if it were outlawed in government facilities? I have worked with LARGE corporations that 'forbade' IE on the computers. What if something unthinkable, as unthinkable as an asteroid strike is on Planet Earth, happened to Windows?

---
Don't put all yer x86's in one basket
------
And myself in 1998

The day will come when WinPlanet implodes. It happened to IBM. Hell, it happened to Apple. On that day, you will ask the reflection in your blank monitor the question, "Where do you want to go today?" [made with Mac logo]

Secure Vista...

[Anonymous Coward]

...is like Unbreakable Oracle. A nice name for a marketing campaign. Something it would be nice to have. But probably a pipe dream. And it's a naming that's almost DARING people to try to break it. Not the best idea in that regard.

That said, it must be acknowledged that the federal government is actually showing some real intelligent thinking here for a change, and we should support that. "Just use whatever configuration Microsoft shipped it with" is dangerous thinking. They're looking at what services should be running, how things should be configured, etc., with a mindset of security (and not, mercifully, "ease of use"). This is a Very Good Thing.

Yeah, we can rail at "defective by design" ideas in Windows all we want, but one of the big security complaints about Microsoft OS'es is that they are NOT "Secure by default." Changing defaults doesn't get you home for security, but let's applaud a positive step, and hope Microsoft takes some note of this.

Monoculture Worries.

[twitter]

The phrase "don't put all your eggs into one basket" comes to mind...

The net result will be identically configured computers with fewer applications, a bot maker's paradise. The comply/no-comply label give M$ more veto power over applications and that will reduce the number of applications that can be used. Everything must now be done the M$ way on Windoze, so the worst practices with the worst track record have been mandated. The identical settings are only more "secure" until someone breaks them and then they are all equally hosed.

Security and Liberty.

[twitter]

Well, if there's one White House that I think might be experts on Security, it's this one.

I'm not very impressed with most of the "security" people have traded their liberty for. The failure [slashdot.org] is nowhere more apparent than the non free computing world [slashdot.org].

Comment removed

[account_deleted]

Comment removed based on user account deletion

That;'s one way to look at it.

[khasim]

The net result will be identically configured computers with fewer applications, a bot maker's paradise.

Yep. That's one way to look at it.

A different way to look at it is that a known, reduced configuration allows vulnerabilities to be patched (government-wide) at the lowest level possible with minimum code necessary.

I for one fucking HATE the 500MB "service packs" that are released. It is far easier to test frequent, minor changes than infrequent MASSIVE changes. And it looks as if the Federal Government is finally catching on to that fact.

#1. There is no security without physical security.
#2. Run only what you absolutely need.
#3. Run it with the minimum possible rights.

Re:From TFA...

[wizzahd]

I was unaware that there is a "secure" version.

Re:Yikes!

[afidel]

Since the current monoculture for Windows PC's in government is probably the default windows install, a more secure default configuration can't possibly be a worse situation.

A word on federal security mandates

[192939495969798999]

In terms of making "unbreakable" anything, this will be as successful as the stripe in money. Within a week of the Mint putting a plastic stripe in money, there were guys in bars demonstrating how to take said stripe back out. While that is a fairly victimless crime, demonstrating how to hack and debilitate the "government standard" vista configuration will just lead to a massive botnet as everyone (except the appropriate govt bodies, of course) has already figured out.

Re:Monoculture Worries.

[mabhatter654]

This is a very good thing!! The feds are simply stating they will be using a particular configuration of windows their experts have determined increases security and removes the gaping holes the default WinTel box at the store ships with. They're mandating that all their vendors get with the program and MAKE their software work with the new increased security settings already built into Windows. It's what Microsoft keeps promising to do when they say "most secure ever" but then the first thing vendors do is require IT to "turn down" security settings because highly paid programmers can't be bothered to make their software work properly under security settings.

We see this all the time on home PCs where you have to be Admin to run simple games... the feds are saying NO MORE to that. This is a VERY good thing!!

Hrm ...

[B3ryllium]

While this sounds like a good thing on the surface (the mere fact that they're paying attention to OS security is nice), I think it's bad for two reasons.

1) It ties the entire government into Windows - and on top of that, the most expensive and resource-consuming version thereof. Think of the thousands of PCs that would have to be upgraded for Vista? Now ... what happens to all the old ones? (I sincerely hope that they get donated to schools or something)

2) It may prevent opensource applications from achieving any traction in the US government. Unless, of course, Microsoft is willing to give them the keys to be declared "Secure/Vista Friendly" or whatever the latest gimmick certification is. Granted, the big guns like OpenOffice and Mozilla might be able to make inroads, but smaller opensource applications might be S.O.L.

So it's nice that the issue has received consideration, but it may be a rather insidious form of consideration. And that's not a good thing.

Re:That;'s one way to look at it.

[Anonymous Coward]

And it looks as if the Federal Government is finally catching on to that fact. ...
#3. Run it with the minimum possible rights.

Too bad they think that applies to people too.

So...

[BrokenHalo]

Seems to me that those criteria make sense. What doesn't make sense is that Microsoft chooses not to make those criteria the default configuration.

This is easier in the free world.

[twitter]

But it is doing what the customer wants. They want a baseline configuration and any programs that don't work with their configuration aren't allowed.

They could have gotten that and a much wider choice of applications by choosing any Linux distribution. Free software package management works. A side benefit is real security

You're trying so hard to turn this around and make it about Microsoft but they have little to do with it. This is the federal government making up these rules.

That could be, but M$ can't win for losing. It would be much harder for M$ to blame the user for M$ problems if they really told the user exactly what to do. In the end, it's all about M$ and non free software. Non free software can't be as good or work together the same way free software does. It has obvious problems and the obvious solutions are difficult or impossible.

Two solutions are code sharing and configuration control. As you and others say, a smaller code base is cheaper and more secure. Competitive pressures keep non free companies from sharing libraries and their licensing make that most obvious cost savings impossible anyway. Everyone has to reinvent every wheel or put themselves at the mercy of their non free competitors. The second most obvious cost savings measure is configuration control, but that too is impossible in the non free world. The user can flip switches, but the switches themselves will change as applications change out libraries. Without the source code, the user does not really know what the switches do anyway.

In the US Air Force, this has already happened

[Frosty Piss]

In the US Air Force, this has already happened in the form of the Standard Desktop Configuration Image that we install on all PCs. This started the middle of last year.