White House Specifies And Mandates Secure Windows 242
twitter writes "The Register is reporting on an effort to bring order to the wild world of Windows patching, at least in the US Federal Government. The White House has issued a directive to federal CIOs throughout the country, issuing a call for all new PCs to use a 'common secure configuration.' 'Registry settings and which services would be turned on or off by default [are specified and] the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"
Comment removed (Score:4, Interesting)
If apps can run without admin accounts... (Score:3, Interesting)
Where I work, I waste half my time tweaking and proding half-assed, government-mandated, useless POS apps just for them to work without being an administrator.
It seems Windows developers will always trade end-users security to prevent permissions-issue support calls. And *ALL* of them develop and test as administrators. QA'ing with a user account is too much work.
BTW: Yes, the other half of my time is paperwork.(close to TPS reports)
Re:And this is unusual why? (Score:3, Interesting)
I don't know exactly what goes on in that office, but I suspect it hasn't changed radically in 10 years. They're probably running identical software, perhaps with occasional upgrades. Probably some custom application providing access to their database. Why replace all the hardware just to stay in place?
Sure, the security of 98 is a nightmare. They definitely need to keep these computers behind a firewall, and in fact preferably with absolutely no access at all. Buy different computers if they need to do email or web surfing; these computers are a complete loss from a security standpoint. But if all they need to do is run some set of applications that haven't changed in years, don't fix what ain't broke.
Ultimate Control. (Score:4, Interesting)
A very Silly AC taunts:
It's the government mandating this version of Windows, not Microsoft. Reading comprehension much?
Once the settings are specified, M$ can make the system do as they please. What, do you think Uncle Sam is going to give up patch Tuesday? The whole point is to make it easier to apply patches. It won't really work, of course, because M$ and others will keep playing the same anti-competitive tricks. When an application does not work with the settings, it not Windoze is rejected.
The net result is contrary to commodity computing. The whole reason for using M$ is to gain access to cheap hardware and a universe of software. Reducing your choice in software goes a long way toward making your hardware worthless. A fancy computer that does not do the task you want it to is not doing you any good. The proposed flexibility will inevitably sink to Dell software install options and people who want to get work done with specialized programs will be forced off Windoze or suffer with second rate software on expensive hardware.
The same kind of program would not be such a disaster in the free world. First, it's easy to tell what works and upgrades are already painless. Second, if something does not work, it will be fixed quickly. Third, and most importantly, the software does not have "owners" who want to mess with other software "owners".
Why don't they roll their own? (Score:3, Interesting)
Wow, no one on here RTFA (Score:4, Interesting)
lets start with the second goddamn line of the article
"A White House directive to federal chief information officers issued this week calls for all new Windows PC acquisitions, beginning 30 June, to use a common "secure configuration"."
You'll notice that there is no mention of Macs or Linux. That's because this only affects _new windows PC acquisitions". That means it only affects the box when you have windows on it.
"Applications (such as anti-virus, email etc) loaded onto systems remain flexible but what will be specified in the registry settings and which services would be turned on or off by default."
Look here... configuration management mandated. How about that??!
"Even more importantly, the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations."
OMFG, vendors actually have to put out products that work in secure configurations. holy crap!!! end of the goddamn world. heaven forbid we make them code securely and force them to make it work in something other than the Administrator account.
"The federal government scheme builds on the "comply or don't connect" program of the US Air Force. The principal targets are Windows XP and Vista client systems but the same ideas might be applied in Unix and Windows Servers environments over time."
Lookie there, it only applies to windows again. later on, it'll apply to windows Desktops! Not even servers. wtf is this call of monoculture I keep seeing.
Every consumer should be happy to see this, because a huge client (the biggest?) of computer hardware and software says "that's quite enough. If you can't work in our secure environment, you are going to lose a lot of business. Fix it already".