LAN_PRINT_135: U.S. Government Standardizing on Windows Hardening
(LAN_PRINT_86 IT Management)
LAN_PRINT_94 NIST.org
Monday 26 March 2007 - 21:33:22

U.S. Government agencies have struggled with how to implement baseline security configurations required of them under various government regulations. The new government-wide Windows security configuration requirements outlined by the Office of Management and Budget (OMB) are truly revolutionary and grandiose in scale. But this is likely to affect everyone.

Few federal agencies have fully implemented NIST.gov, CIS, DISA, or NSA hardening guidelines, even though many have required it for years. Those agencies that had set hardening standards tended to water them down to the lowest common denominator that prevented anything the agency might use from breaking. Few civilian federal computers implemented the full guidelines. (NIST.org)

NIST.org is a private IT security news organization and is in no way connected to the U.S. Government National Institute of Standards and Technology (NIST.GOV).

This type of approach has of course led to computers not being as secure as they should be. It has also been very wasteful. Each agency has had to test all of the settings in their environment and test each application used within the agency. Each agency also ended up negotiating with hardware vendors to ship computers with their settings already applied (at least those agencies that bothered to try). Many agencies also gave their offices a lot of leeway in whether to implement the baselines (or STIGS - Security Technical Implementation Guides) or they failed to verify compliance. All of this has led to a lot of wasted time, effort, and money. Not to mention a much lower security posture.

This is all about to come to an end. The White House Office of Management and Budget (OMB) has mandated that all federal agencies implement a common set of secure configuration settings developed by the National Institute of Standards and Technology (NIST). The following is a time line outlined by OMB.

• May 1st 2007 – Agencies must submit to OMB plans:
  - on how they will implement the new standard baseliine configuration,
  - on how they will enforce and automate the settings,
  - on how they will restrict administrative rights to change these settings to only authorized personnel.
  - on how they will test their systems in advance for adverse effects of the settings,
  - on how they will integrate the new security settings into their Capital Planning and Investment Control Process (NIST SP 800-65)
  - on how they will ensure that all computers have vulnerability patches applied
  - on how they will document any deviations from the standard baseline and the reason for the deviation
  
• April 20th, 2007 – OMB and the Department of Homeland Security (DHS) will make available XP and Vista images that hardware and software vendors can use for testing.
  
• June 30th, 2007 – All new computer purchases with Windows XP or Vista must contain the standard baseline security configuration. All new software purchases must be compatible with the new security settings. All IT companies doing business with the government must certify that their products will work with this configuration.
  
• February 1st, 2008 – Agencies must fully implement the standard security settings on all computers running Microsoft Windows XP and Vista.

Once these changes start to take affect in June the entire U.S. Government will be doing things differently. This will affect hardware and software acquisition, IT management, computer setup, end user training, other security policies and procedures, etc. For once everyone in the government will be doing something with computers the same way. This is a first, and its a huge change. It is also long overdue, not only from a security point of view but from a fiscal one. The cost savings will be enormous. There will also be a complete paradigm shift in how government IT personnel perceive things. No longer will local offices or individual IT people be making security decisions, management is now running the show and for once management is making a fully informed decision.

Many of OMB's past Memorandums were not implemented on time, or drastically watered down by agencies. Such as M-06-16 that mandated (among other things) encryption of mobile computers and devices by August 2006. Few agencies have fully implemented this directive. This new security baseline initiative is different, for once OMB isn't leaving anything to chance. They are not only telling agencies exactly what to do, but they are giving them the means to do it (completed and detailed NIST specifications). They are also forcing the issue through contracting rules that disallow any purchases that are not within compliance. In addition they are working with vendors, especially Microsoft, in making sure that products will be available by the OMB deadlines. For once they're doing it right.

There is already discussion about government-wide standardized baselines (or STIGs) for Unix, Apple and Linux operating systems. The federal government Windows XP and Vista image is also likely to be available to commercial buyers. There is nothing secret about it. Most Microsoft applications will be guaranteed to work with the image, as will most mainstream applications. If you work for a large enterprise don't be surprised if you start seeing this configuration on new desktops in the near future.

This will, of course, lead to much better desktop security within the federal government. The Air Force / DISA / NIST STIGs are tough and they will truly have a positive affect. When security is left open to the current technician of the moment few take the time to harden Windows to this degree. When the end user has administrative rights to their computer then so does any piece of malware they may stumble upon. Standardizing on a tough policy and forcing the market place to become compatible is the perfect way to accomplish the goal of securing the desktop. Karen Evans, OMB's administrator of e-government and information technology, and the rest of the OMB team will deserve a lot of credit if they can pull this off.

These are certainly dramatic changes. Click here to post your comments.

References:

• GovExec.com - “OMB sets security standards for Windows computers”
  
• FCW.com – Federal Computer Week “OMB: Vista is an opportunity to set desktop standards - Policies at the Air Force, Army serve as a governmentwide model”
  
• NIST.org - “Hardening Microsoft Windows – STIGS, Baselines, and Compliance”. Includes links to NIST.gov STIGS as well as to the Department of Defense, Defense Information Systems Agency (DISA) STIGs that the new requirements are based off of. If you want to know what the new government-wide requirements are going to look like the DISA STIG's are probably as close as you'll find.
  
• SP 800-68 – NIST.gov Guidance for Securing Microsoft Windows XP Systems for IT Professional
  
• NIST.gov – FAQ and Description of the Guidance for Securing Microsoft Windows XP Systems for IT Professionals
  
• ComputerWorld - “Feds to Adopt Common Security Settings on PCs - OMB tells agencies to standardize configurations for Windows XP, Vista”

{BLOGME}
{GOOGLESBOX=windows hardening}
{AMAZONPROD=0072253541}

---

LAN_PRINT_303NIST IT Security
( http://www.nist.org/comment.php?comment.news.219 )