White House Specifies And Mandates Secure Windows

twitter writes "The Register is reporting on an effort to bring order to the wild world of Windows patching, at least in the US Federal Government. The White House has issued a directive to federal CIOs throughout the country, issuing a call for all new PCs to use a 'common secure configuration.' 'Registry settings and which services would be turned on or off by default [are specified and] the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations. "No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista," explained Alan Paller, director of research at The SANS Institute.'"

Heh

[Ethelred Unraed]

The phrase "don't put all your eggs into one basket" comes to mind...

Cheers,

Ethelred

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Heh

[jac89]

Get bigger eggs, then they wont be able to fit through the holes. Goose eggs would do, or maybe ostrich.

Re:Heh

[FrankNputer]

Show me a basket that doesn't have holes, and I'll show you a bowl.

Re:Heh

[morcego]

Show me a bowl that doesn't have a hole, and I'll show you a sphere.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Heh

[jimstapleton]

I would have added "All applications must run in Wine under BSD or Linux", or have a version in BSD or Linux, to the requirements to prevent lock-in

Re:Heh

[Anonymous Coward]

To be fair they are mandating specific Windows configurations for systems running Windows. They are not mandating the use of Windows (or course a lot of gov system do for other reasons...).

So...

[BrokenHalo]

Seems to me that those criteria make sense. What doesn't make sense is that Microsoft chooses not to make those criteria the default configuration.

Re:

[mysticgoat]

So extending Wine such that it meets the same specifications assures that any software that can be sold to the Feds will also run under Linux.

I think I like this idea.

Monoculture Worries.

[twitter]

The phrase "don't put all your eggs into one basket" comes to mind...

The net result will be identically configured computers with fewer applications, a bot maker's paradise. The comply/no-comply label give M$ more veto power over applications and that will reduce the number of applications that can be used. Everything must now be done the M$ way on Windoze, so the worst practices with the worst track record have been mandated. The identical settings are only more "secure" until someone breaks them and then they are all equally hosed.

That;'s one way to look at it.

[khasim]

The net result will be identically configured computers with fewer applications, a bot maker's paradise.

Yep. That's one way to look at it.

A different way to look at it is that a known, reduced configuration allows vulnerabilities to be patched (government-wide) at the lowest level possible with minimum code necessary.

I for one fucking HATE the 500MB "service packs" that are released. It is far easier to test frequent, minor changes than infrequent MASSIVE changes. And it looks as if the Federal Government is finally catching on to that fact.

#1. There is no security without physical security.
#2. Run only what you absolutely need.
#3. Run it with the minimum possible rights.

Re:

[twitter]

A different way to look at it is that a known, reduced configuration allows vulnerabilities to be patched (government-wide) at the lowest level possible with minimum code necessary.

You may also minimize the work your users can do, on Windoze at least.

Re:That;'s one way to look at it.

[ColdWetDog]

You may also minimize the work your users can do, on Windoze at least.

You're talking about the Federal Government here, I'm not sure that is at all a relevant concern. At worst, it's a feature, not a bug.

Re:

[mabhatter654]

This is a very good thing!! The feds are simply stating they will be using a particular configuration of windows their experts have determined increases security and removes the gaping holes the default WinTel box at the store ships with. They're mandating that all their vendors get with the program and MAKE their software work with the new increased security settings already built into Windows. It's what Microsoft keeps promising to do when they say "most secure ever" but then the first thing vendors do

It's all coming together for them.

[twitter]

... the first thing vendors do is require IT to "turn down" security settings because highly paid programmers can't be bothered to make their software work properly under security settings.

We will see if M$ will give them permission for their software to work. Programmers for anti-virus, Netscape, Correl, IBM and everyone but M$ have complained about issues like this in the past. M$ only wishes it had been so easy as that to get rid of those former competitors and their wish appears to have come true.

Re:

[bfields]

Yeah, I don't run Windows myself, but what I hear from people that do is--sure, it comes with all these security features (like ability to run as a user without root-like privileges), but in practice the software they want doesn't run unless they turn that stuff off.

So in theory it sounds like a good thing to have a major customer like the federal government telling vendors that they won't put up with that.

(But then, a windows expert would have to say whether the particular restrictions they're suggesti

Re:Monoculture Worries.

[FlopEJoe]

The net result will be identically configured computers with fewer applications

That's a Mac, right?

NSA

[Ungrounded Lightning]

So let's see if even the NSA can come up with a secure configuration for windows.

(Or at least one that's secure against everybody but the NSA. B-) )

Re:

[LO0G]

They have. It's published here [nsa.gov]

They also have guides for OSX and Solaris.

Ultimate Control.

[twitter]

A very Silly AC taunts:

It's the government mandating this version of Windows, not Microsoft. Reading comprehension much?

Once the settings are specified, M$ can make the system do as they please. What, do you think Uncle Sam is going to give up patch Tuesday? The whole point is to make it easier to apply patches. It won't really work, of course, because M$ and others will keep playing the same anti-competitive tricks. When an application does not work with the settings, it not Windoze is rejected.

The net result is contrary to commodity computing. The whole reason for using M$ is to gain access to cheap hardware and a universe of software. Reducing your choice in software goes a long way toward making your hardware worthless. A fancy computer that does not do the task you want it to is not doing you any good. The proposed flexibility will inevitably sink to Dell software install options and people who want to get work done with specialized programs will be forced off Windoze or suffer with second rate software on expensive hardware.

The same kind of program would not be such a disaster in the free world. First, it's easy to tell what works and upgrades are already painless. Second, if something does not work, it will be fixed quickly. Third, and most importantly, the software does not have "owners" who want to mess with other software "owners".

Re:

[Afecks]

A fancy computer that does not do the task you want it to is not doing you any good.

But it is doing what the customer wants. They want a baseline configuration and any programs that don't work with their configuration aren't allowed.

You're trying so hard to turn this around and make it about Microsoft but they have little to do with it. This is the federal government making up these rules. If they don't want to allow program X because program X doesn't support feature Y then that's nobody's problem b

This is easier in the free world.

[twitter]

But it is doing what the customer wants. They want a baseline configuration and any programs that don't work with their configuration aren't allowed.

They could have gotten that and a much wider choice of applications by choosing any Linux distribution. Free software package management works. A side benefit is real security

You're trying so hard to turn this around and make it about Microsoft but they have little to do with it. This is the federal government making up these rules.

That could be, but

Security

[Mateo_LeFou]

Well, if there's one White House that I think might be experts on Security, it's this one

Re:Security

[eln]

Actually, this White House seems to champion the idea of "security through obscurity," which puts them right in line with Microsoft's idea of security. This should work out well.

Security and Liberty.

[twitter]

Well, if there's one White House that I think might be experts on Security, it's this one.

I'm not very impressed with most of the "security" people have traded their liberty for. The failure [slashdot.org] is nowhere more apparent than the non free computing world [slashdot.org].

Re:

[Macthorpe]

nowhere more apparent than the non free computing world [slashdot.org].

Read that article again. 1 in 4 computers, not 1 in 4 Windows computers.

I was so happy you managed to keep your bias out of the summary, but then you had to go and ruin it, didn't you?

Calculation...

[Mateo_LeFou]

Don't you have to finish the math before making judgment positive or negative, i.e.

25% of computers are bots -- let's say 500 million computers. What % of those run windows? Is it higher or lower than the % of *all computers that are running windows?

Re:

[Macthorpe]

Let's be honest, I wasn't the one misrepresenting the situation in the first place. What I'm saying is that the number given isn't indicative of anything at all in the context of what he was saying - he says 1 in 4 computers being in a botnet shows inherent insecurity in non-free OSes, and that is not the case at all.

I absolutely agree with you that there needs to be more facts before we can make a decision either way - hence my point.

Yes, and that's the point: Windoze is less secure

[twitter]

Don't you have to finish the math before making judgment positive or negative, i.e.

Yes, but that's what this tireless M$ Defender [slashdot.org] is trying to deny without actually having the nerve to say it. All you really need to know is that botnets are more prevalent of Windoze than any other platform to know that more than 1 in 4 of Windoze computers are part of a botnet. Study after study [slashdot.org] has shown the relative security of the platforms. Macthorp and his sock puppets [slashdot.org] continue to beat the "Windoze is most secure

Re:Yes, and that's the point: Windoze is less secu

[dedazo]

There's a difference between being "pro-Microsoft" or as you succintly put it, "tireless M$ defenders", and being anti-bullshit.

Your problem is that you can't distinguish between the two. But that's an issue you seem to be afflicted with anyway [slashdot.org].

If I Have Learned One Thing...

[Anonymous Coward]

If I have learned one thing when dealing with the federal government, it is where there is a regulation there is always a way to get an exception to that regulation.

Yikes!

[martyb]

One word: Monoculture.

Yes, this might be a darn sight better than what currently exists, but having all the systems have the same configuration is just ASKING for trouble. I predict that within two years, some virus or the like which would have attacked just a department or two is going to hit a huge swath across multiple departments, instead.

Unless, of course, the federal government has figured out how to configure their systems to be entirely secure. In which cse, I'd suggest they share it with Microsoft and the rest of the systems on the internet.

Re:

[Mateo_LeFou]

Are you suggesting that Bruce Schneier [schneier.com] knows more about security than W and friends?

I'm looking forward to color-coded "Vista Alert Level" updates and thousands of other goodies.

Re:

[gEvil (beta)]

I'm looking forward to color-coded "Vista Alert Level" updates

Why do I suspect that the highest level will be blue?

Re:

[Zonk (troll)]

If at first you don't succeed at breaking a cipher, you're not Bruce Schneier.

Bruce Schneier can decypher line-noise.

Anybody can invent a cryptosystem he cannot break himself. Except Bruce Schneier.

When God needs a new secure certificate, he uses Bruce Schneier as the signing authority.

(Bruce Schneier Facts [geekz.co.uk]).

Re:Yikes!

[Trona Andy]

You have it all wrong. This is going to work because the Decider has said it has to work. Case closed, just like the wonderful success we're having making Baghdad a bastion of stability and tolerance for political, religious and cultural difference. You go, George!

Re:

[RingDev]

I wouldn't go so far as to say Monoculture... All jokes aside, there are a lot of highly skilled IT professionals in the government sector, there just also happens to be a large number of incompetent ones as well. The competent ones will continue to run tight ships with secure and functional networks, and the incompetent will continue to run crap piles, although with this regulation they would at least be given "less smelly" crap to add to their respective piles.

-Rick

Re:

[jafac]

It's true that you can complain about Monoculture;
But if you have 100 different computers, and they're all configured differently, what you have is an UNKNOWN configuration - and you can't tell your boss "every known vulnerability has been shut down".

If you shut down all known vulnerabilities on those 100 computers, you don't have 100 secure computers. You have 100 computers, with zero known vulnerabilities, and some unspecified number of unknown vulnerabilities. Those unknowns are there, whether you've c

Re:Yikes!

[afidel]

Since the current monoculture for Windows PC's in government is probably the default windows install, a more secure default configuration can't possibly be a worse situation.

From TFA...

[Steve--Balllmer]

""No Vista application will be able to be sold to federal agencies if the application does not run on the secure version of Vista,"

I just wanted to let you know all of those people who purchased "Unsecured Version" of Vista can upgrade to the "Secure Version" for a fee, when it is released (probably in late 2009-early 2010).

Sincerely,
Steve "Monkeyman" Ballmer

Re:

[wizzahd]

I was unaware that there is a "secure" version.

Re:

[mgblst]

Wow, that is going to piss of about a dozen people, way to go Steve.

Monkeyman?

[Life2Short]

Who the hell promoted you from "monkeyboy?" [wikipedia.org]

Quoting myself

[starglider29a]

http://slashdot.org/comments.pl?sid=152118&cid=127 64232 [slashdot.org]

Has anyone considered if [Apple adopting Intel] is *** INTEL's *** way of diversifying, as an "off world colony of Planet Wintel"? In other words, is this a backup location in the seemingly increasingly likely implosion of the 'Win Wing" of WinTel? Nothing is "unthinkable", merely improbable.

Blustery pundits have used the phrase "national security risk" when referring to Windows. What if it were outlawed in government facilities? I have worked with LARGE corporations that 'forbade' IE on the computers. What if something unthinkable, as unthinkable as an asteroid strike is on Planet Earth, happened to Windows?

---
Don't put all yer x86's in one basket
------
And myself in 1998

The day will come when WinPlanet implodes. It happened to IBM. Hell, it happened to Apple. On that day, you will ask the reflection in your blank monitor the question, "Where do you want to go today?" [made with Mac logo]

And this is unusual why?

[Itninja]

No Vista application will be able to be sold to federal agencies

What!!?? You mean that my local Social Security office will not be upgrading?

I was there a few weeks ago and they all were using what looked like Windows 98 still. I don't think 'Vista' and 'federal agency' will be in the same sentence again for many, many years.

Re:

[jfengel]

And ya know, that's not necessarily a bad thing.

I don't know exactly what goes on in that office, but I suspect it hasn't changed radically in 10 years. They're probably running identical software, perhaps with occasional upgrades. Probably some custom application providing access to their database. Why replace all the hardware just to stay in place?

Sure, the security of 98 is a nightmare. They definitely need to keep these computers behind a firewall, and in fact preferably with absolutely no access at

Re:

[Itninja]

"Microsoft. Reinventing the wheel since 1989" That's why!

Re:

[Lord Ender]

How do you propose they get data to and from those applications if you don't want the PCs networked?

Yeah.. that's what I thought.

Re:

[jfengel]

"Networked to each other" and "networked to the wide world" are two different things. And if they must be networked remotely, and if the Internet is the most effective way to get there, then you can dramatically limit access with a firewall. You're still potentially screwed, since custom applications are terribly prone to buffer overruns, publicly-known passwords, insertion attacks, etc., but that's a programmer problem, not a Windows problem.

Re:

[Lord Ender]

Firewalls are near-worthless when you are talking about PCs. People take laptops home, get malware all over them, then bring them to work and plug them in BEHIND THE FIREWALL or on a private network.

Secure Vista...

[Anonymous Coward]

...is like Unbreakable Oracle. A nice name for a marketing campaign. Something it would be nice to have. But probably a pipe dream. And it's a naming that's almost DARING people to try to break it. Not the best idea in that regard.

That said, it must be acknowledged that the federal government is actually showing some real intelligent thinking here for a change, and we should support that. "Just use whatever configuration Microsoft shipped it with" is dangerous thinking. They're looking at what services should be running, how things should be configured, etc., with a mindset of security (and not, mercifully, "ease of use"). This is a Very Good Thing.

Yeah, we can rail at "defective by design" ideas in Windows all we want, but one of the big security complaints about Microsoft OS'es is that they are NOT "Secure by default." Changing defaults doesn't get you home for security, but let's applaud a positive step, and hope Microsoft takes some note of this.

Will make problems for R&D/scientific applicat

[a_timid_mouse]

There's a lot of talk around NASA how this will cause huge headaches for scientists and R&D folks. There are very determined efforts afoot to homogenize Windows support and configuration at all NASA centers. Will make for a great bot target, and will most likely stifle development of new technologies to support NASA missions and objectives.

Re:

[truckaxle]

This is true with all federal government research. Windows is increasing becoming the only tool approved and it is getting harder to use non-windows tools. Take for example the wide ranging Navy Marine contract that specifies essentially the same solution for the receptionist desktop as on the scientist/engineering desktop. All applications have to be on the "approved" list which eliminates many instances of great open source and freeware software. It is a sad trend - they may as well nationalize Microsoft.

If apps can run without admin accounts...

[denis-The-menace]

If this makes most apps able to run without admin accounts it will be a step in the right direction.
Where I work, I waste half my time tweaking and proding half-assed, government-mandated, useless POS apps just for them to work without being an administrator.

It seems Windows developers will always trade end-users security to prevent permissions-issue support calls. And *ALL* of them develop and test as administrators. QA'ing with a user account is too much work.

BTW: Yes, the other half of my time is paperwork.(close to TPS reports)

Re:

[mabhatter654]

bonus points if they made this an open spec to follow. Then state govts could benifit as well for their depts and schools. Hopefully it will be a "evolving" standard, perhaps on a yearly basis, then the industry could pick it apart and help make it better!!!! (I'm hungry for pie in the sky now) It's the one thing Microsoft hasn't been able to fix is their developers!developers!developers! refusing to adopt the new security features and draging the ship down.

Stamp out diversity!

[PingSpike]

Yes...I think the security problems caused by the monoculture can definately be solved by making the various installs of this operating system as close to identical as possible. Furthermore, we should post all of these assumed similarities somewhere that all can see.

Heh, thats not to say any other OS would do great as the defacto standard either. I'm no big fan of windows these days, but if linux or macOS were top dog they'd be the target too. I just have to question the wisdom of this logic: This isn't wor

Re:

[B3ryllium]

The obvious answer is to run everything through a single LinkSys home office router, and then not have any firewalls on individual machines. :)

I'm a bit confused here....

[zappepcs]

Not that I don't like a good MS bashing, but the government should be getting the bashing right now, not MS. The government branches/organizations should have been doing this all along, that is making every effort to ensure that their computing platforms are secure, AND comparing one vendor against another. That is how smart businesses are run. The fact that they are just now doing this is fscking scary! What compromises have already been exploited and not discovered as yet?

That it has been mandated to secu

Re:

[mysticgoat]

The government branches/organizations should have been doing this all along, that is making every effort to ensure that their computing platforms are secure, AND comparing one vendor against another.

Many if not all of the US Federal agencies HAVE been doing this all along. Look back over slashdot for the last 2 - 4 weeks, and you'll see stories that several government agencies have declared moratoriums on updating to Vista. Other agencies are certainly doing the same thing, but managing their moratoriums more quietly.

I left USGOV service several years ago, but I can attest that the VA and other big agencies began actively managing update strategies as early as Win98. When Directors of VA hospitals

Honesty

[DoofusOfDeath]

White House Specifies And Mandates Secure Windows

Look, if they just don't want to use Windows why can't they say so???

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Why don't they roll their own?

[Peter Trepan]

Why don't they have a DARPA-BSD or something, so they can secure the code themselves? Can the government not afford any CS majors?

Re:Why don't they roll their own?

[evil_Tak]

Or perhaps some kind of security-enhanced Linux [wikipedia.org] variant...the NSA [nsa.gov] could even help develop it!

Mandates secure windows....

[gmuslera]

what next in the agenda? Mandate water to flow upwards? Ice to burn things? Pigs to fly?

There are rumors that such things exist, in very special cases, but is easier to see pigs fly than to see a secure windows machine.

Re:

[abb3w]

what next in the agenda? Mandate water to flow upwards? Ice to burn things? Pigs to fly?

Trying to set "pi" equal to three [bible.cc] is a traditional passtime of Bible thumpers, and about on my expectation level for this White House.

There are rumors that such things exist, in very special cases, but is easier to see pigs fly than to see a secure windows machine.

This is because most geeks who try it find building a trebuchet simple and fun, with clear documentation readily available. It also usually involve

Re:

[mutterc]

Remember, with sufficient thrust, pigs fly just fine.

Re:

[Divide By Zero]

I have RFC1925 [faqs.org] (Pt 2, Sec 3: "With sufficient thrust, pigs fly just fine.") posted at my desk here at work, with the aforementioned phrase highlighted.

I work for the Federal Government in IT.

Derive from this what you will.

A word on federal security mandates

[192939495969798999]

In terms of making "unbreakable" anything, this will be as successful as the stripe in money. Within a week of the Mint putting a plastic stripe in money, there were guys in bars demonstrating how to take said stripe back out. While that is a fairly victimless crime, demonstrating how to hack and debilitate the "government standard" vista configuration will just lead to a massive botnet as everyone (except the appropriate govt bodies, of course) has already figured out.

Re:

[Ungrounded Lightning]

Within a week of the Mint putting a plastic stripe in money, there were guys in bars demonstrating how to take said stripe back out.

Which makes the money worthless - and refused the first time somebody looks for the stripe.

The trick is to figure out how to put the stripe INTO a counterfeit bill.

Switch?

[HalAtWork]

If it's not secure and doesn't work the way they want, shouldn't they find another product, and shouldn't Microsoft be responsible for identifying and fixing these problems and not the government with our tax dollars?

The actual OMB memo

[beetle496]

The actual OMB memo (pdf, sorry) can be found at URL:
http://www.whitehouse.gov/omb/memoranda/fy2007/m07 -11.pdf [whitehouse.gov]

The text follows:

EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
DEPUTY DIRECTOR FOR MANAGEMENT
March 22, 2007

M-07-11 / MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES

FROM: Clay Johnson / Deputy Director for Management

SUBJECT: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems

To improve information security and reduce overall IT operating costs, agencies who have Windows XP TM deployed and plan to upgrade to the VistaTM operating system, are directed to adopt the security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS).

The recent release of the VistaTM operating system provides a unique opportunity for agencies to deploy secure configurations for the first time when an operating system is released. Therefore, it is critical for all Federal agencies to put in place the proper governance structure with appropriate policies to ensure a very small number of secure configurations are allowed to be used.

DoD has worked with NIST and DHS to reach a consensus agreement on secure configurations of the VistaTM operating system, and to deploy standard secure desk tops for Windows XPTM. Information is more secure, overall network performance is improved, and overall operating costs are lower.

Agencies with these operating systems and/or plans to upgrade to these operating systems must adopt these standard security configurations by February 1, 2008. Agencies are requested to submit their draft implementation plans by May 1, 2007 at fisma@omb.eop.gov. With your endorsement we will work with your CIOs on this effort to improve our security for government information. If you have questions about this requirement, please contact Karen Evans, Administrator, E-Government and Information Technology at (202)395-1181 or at fisma@omb.eop.gov.

Hrm ...

[B3ryllium]

While this sounds like a good thing on the surface (the mere fact that they're paying attention to OS security is nice), I think it's bad for two reasons.

1) It ties the entire government into Windows - and on top of that, the most expensive and resource-consuming version thereof. Think of the thousands of PCs that would have to be upgraded for Vista? Now ... what happens to all the old ones? (I sincerely hope that they get donated to schools or something)

2) It may prevent opensource applications from achieving any traction in the US government. Unless, of course, Microsoft is willing to give them the keys to be declared "Secure/Vista Friendly" or whatever the latest gimmick certification is. Granted, the big guns like OpenOffice and Mozilla might be able to make inroads, but smaller opensource applications might be S.O.L.

So it's nice that the issue has received consideration, but it may be a rather insidious form of consideration. And that's not a good thing.

Re:

[stuntpope]

I fail to see where the directive is mandating an all-Microsoft Windows policy for the Federal Government, as some have posted here, let alone a requirement for Vista.

From the directive, "Agencies with these operating systems and/or plans to upgrade to these operating systems must adopt these standard security configurations"

Meaning, it only applies to existing or future Windows installs. Not, "all government computers must follow this Windows' configuration" (therefore computer must run Windows).

Open Sourc

Wow, no one on here RTFA

[Raleel]

GEEEZ

lets start with the second goddamn line of the article

"A White House directive to federal chief information officers issued this week calls for all new Windows PC acquisitions, beginning 30 June, to use a common "secure configuration"."

You'll notice that there is no mention of Macs or Linux. That's because this only affects _new windows PC acquisitions". That means it only affects the box when you have windows on it.

"Applications (such as anti-virus, email etc) loaded onto systems remain flexible but what will be specified in the registry settings and which services would be turned on or off by default."

Look here... configuration management mandated. How about that??!

"Even more importantly, the directive calls for suppliers (integrators and software vendors) to certify that the products they supply operate effectively using these more secure configurations."

OMFG, vendors actually have to put out products that work in secure configurations. holy crap!!! end of the goddamn world. heaven forbid we make them code securely and force them to make it work in something other than the Administrator account.

"The federal government scheme builds on the "comply or don't connect" program of the US Air Force. The principal targets are Windows XP and Vista client systems but the same ideas might be applied in Unix and Windows Servers environments over time."

Lookie there, it only applies to windows again. later on, it'll apply to windows Desktops! Not even servers. wtf is this call of monoculture I keep seeing.

Every consumer should be happy to see this, because a huge client (the biggest?) of computer hardware and software says "that's quite enough. If you can't work in our secure environment, you are going to lose a lot of business. Fix it already".

You're doing a heckuva job, Billy...

[condour75]

No would could've predicted the firewall would be breached...

"the secure version of vista"

[nurb432]

So, that pretty much means the feds cant buy anymore windows software. Cool.

My dad used to say about this kind of thing

[Ancient_Hacker]

My dad used to say : "We at the Pizza Parlor have an agreement with the bank. They don't sell Italian foodstuffs, we don't cash checks".

So maybe it's not the greatest idea to have politicos making IT policy?

All these replies, so little understanding.

[jimicus]

Most of what I've seen so far says "This will make them easy targets". Yet the only way I can make sense of this is as follows:

1. Every computer has an identical OS build on it (most enterprises have something like this already in place - nobody in their right mind wants to support 100 slightly different builds).

2. That build is locked down thoroughly, so only necessary services run. (Most enterprises probably don't go quite that far, but in an environment where you're very concerned about security you

a real good common configuration

[Joe The Dragon]

only works when they all have the same hardware. There is like a lot systems that need different hardware that they can't get rid of.

Registry?

[Migraineman]

What is this "registry" of which you speak?

(man, I wish I could deliver that with a straight face)

In the US Air Force, this has already happened

[Frosty Piss]

In the US Air Force, this has already happened in the form of the Standard Desktop Configuration Image that we install on all PCs. This started the middle of last year.

Secure computing

[cdrguru]

Rule 1: If if can have its programming altered in the field, it is not secure.

Rule 2: If it accepts executable instructions from any unauthorized source, it is not secure.

Rule 3: Any deviation from an assigned purpose can be considered to be a security breach.

It is difficult to have a toaster or microwave oven infected by malware or part of a botnet. You want security? Start using the "appliance" model and there will be security. A general-purpose computer that can have new programming installed is obvio

Re:

[AP2k]

Where is the "Beyond Overrated" or "Stupid" mod tags when you need them?

You might need this:

while(1){
      printf("HA");}

Re:

[morgan_greywolf]

Because, if you read the article you linked to, you'd know that Windows has had more severe vulnerabilities than both OS X and Red Hat, really making Windows the least secure.

Re:

[mabhatter654]

I'd bet the Feds over all, through all the departments spend HUNDREDS of millions of dollars on Windows desktops per year!! If the feds would even offer Apple or Red Hat 1/10 of that business they'd comply automatically without being asked.

Re:

[AP2k]

Shouldnt this apply to OSes that are commercially sold? At some point I may write my own OS and release it under GPL. Should I be forced to write in functions for security, even though I am operating a car? What about embedded Linux OSes? What about FreeRTOS?

I dont think forcing OS makers to include specific functions is a step in the right direction. I think that suggesting the same is a good idea, however.

Re:

[i.r.id10t]

Yup. Just unplug the network cable (and don't go wireless) and post a physical guard for hte physical security.

Re:

[rolfwind]

I still don't trust that. How about unplugging the electric cord?

Re:

[Rohan427]

Sure, here's the instructions:

1. If you have a Windows installation CD, get it and set it aside. You will need it for a later step.
2. Boot the computer.
3. Make a Windows Boot Floppy.
4. Restart the computer with the floppy and boot it to the command line.
5. Type fdisk at the command prompt and hit .
6. Follow the on-screen instructions for deleting all partitions on all hard drives.
7. Remove the floppy and set it aside for the moment.
8. Reboot the computer and install any operating system that is no

Re:

[Bogtha]

Seriously, can Windows -- any version -- be made secure?

Don't be ridiculous, of course it can. Here's a step-by-step guide [istockphoto.com].

Re:

[Anon-Admin]

Thanks, You got me.

I actually looked at my calendar to see if it was April 1st. :)

Re:

[inviolet]

Why don't they just switch to Linux? end of security problem.

Linux would not be so secure if it became mainstream, or if it became the dominant OS in use at a valuable target (US government computers). Presently, Linux doesn't receive near the same blackhat attention that Windows does.

As well, Linux is no more secure than its administrators are competent. There is not a lot of Linux expertise out there right now. If the feds switched to Linux tomorrow, it would be quite a while (and truckloads of money

Re:

[JustNiz]

>> or if it became the dominant OS in use at a valuable target (US government computers).

Wow. How closed-minded. You need to look around you.

Linux IS ALREADY mainstream. It has become the dominant OS in many 'valuable targets' both inside and outside the US. Yes there really is a whole world outside the US and guess what we even have electricity now.
Most European governemts are already mandated to running open source over proprietary OS's for several years now so are not even allowed to run Windows.

Re:

[redelm]

NIST has had these out for at least 5 years. I would consider testing against NIST patches to be essential before app/patch release from any commercial software vendor. They're two very well defined configs, and after that, the vendor can claim "plays well with secured PCs".

The tough thing in software testing is to reasonably define what needs to be tested. The testing is tedious but trivial and can be subcontracted.

TFA implies they'll tell all the developers

[Ungrounded Lightning]

The AC speculates: ... they a) won't tell you what the settings are, ...

But the TFA says that one of the major points of the exercise is to give developers a common configuration to develop for and test against.

So they'll be telling all the developers - which means all the potential developers - which means everybody.

Cute idea. But the tinfoil brim got between the AC's eyes and the screen. B-)

TFA sez

[Ungrounded Lightning]

Now that Slashdot pointed it out, they will probably decide to "standardize" on Lunix.

The TFA says the "same idea may be applied to Unix and Windows Servers over time".

At the resolution of such press releases "Unix" would include Linux and OSX.

Re:

[Ungrounded Lightning]

What if Office or IE or Lookout won't run under Secure Vista but Open Office and Firefox etc. will ?

We can all dream of that.

But I sincerely doubt that the government-mandated configurations will disable the basic Microsoft applications - at least until they decide, deliberately, to move to some other (and designated) toolset.

Re:

[SpaceLifeForm]

Just the other night, on '24'.