White House Sets Single Security Configuration For Windows Computers

A White House directive is forcing federal government agencies, which currently use perhaps hundreds of different security configurations, to conform to a single one that was designed by the U.S. Air Force.

The move will likely involve a great deal of work. But it could "radically reduce" the number of security holes that have been plaguing federal agencies like the Department of Homeland Security and the Department of State, according to Alan Paller, director of research at the SANS Institute.

Scott Charbo, the CIO of the Department of Homeland Security, was dragged over the coals in a Congressional hearing last week because of the number of security incidents that his agency has been suffering. Another Congressional hearing earlier this year lifted part of the veil on two major security breaches at the departments of Commerce and State last summer.

Paller said the directive could begin to dig government agencies out of the security holes they've found themselves in.

The White House memorandum focuses only on systems running Microsoft's Windows XP and Windows Vista. The single configuration must be in place by Feb. 1, 2008, according to the mandate. The president's Office of Management and Budget also mandated that software vendors must supply government agencies with applications that run on this one configuration. Any vendor contract signed after Saturday, June 30, 2007 must be in line with this new rule.

The directive, which also greatly limits the number of users who are given administrative rights, is based on a move made by the Air Force a few years ago. The military branch settled on one configuration and tested it on a 400,000-user system.

In March, the White House began sending out directives that the rest of the government, as well as military agencies, must follow suit.

The configuration, known as the Federal Desktop Core Configuration (FDCC), calls for all applications designed for the average end user to run in a standard user context, without elevated system administration privileges. This way, if a user's machine is compromised, the hacker doesn't gain administrative access to the entire network.

The configuration also calls for IT administrators to lock down services like the messenger service and the FPP publishing service, so people outside the network can't get access to that computer through those services. And it calls for certain communications channels to be encrypted. The Air Force's configuration also affects password aging, meaning administrators and users have to change their passwords every 30 days.

The FDCC also mandates that the installation, operation, maintenance, and patching of any software shall not alter the configuration settings from the approved configuration.

Keith Rhodes, chief technologist at the U.S. Government Accountability Office and the man known as the fed's top hacker, said a lack of configuration conformity has become a major security issue for all government agencies, which could be using as many as several hundred different security configurations.

"This is gotta be better than it is now," he said in an interview with InformationWeek. "Right now it's really crazy out there. There's very, very little uniformity in policy and configuration. It's the U.S. government. We've got one of everything. We've got to move to a more stable environment."

Part of Rhodes' job is to try to hack into the different government agencies. With so many different security policies and configurations in use, that just makes his job a lot easier. And if his job is easier, it's easier for the black hat hackers, as well. "One reason we're succeeding in our [penetration] testing is because there's no conformity," he explained. "Everything is set up willy nilly. There's no uniform implementation of firewall policies, router settings, password rules."

Paller also noted that with so many different security configurations, many are bound to be weaker than others, and that creates gaping holes in government IT safeguards.

A multitude of security configurations also leads to big problems when it comes to patching vulnerabilities in applications. Every single configuration has to be tested before a patch can be installed, said Paller. That can slow down the patching process, leaving systems vulnerable to hackers that might try to take advantage of the unpatched bugs.

So why are there so many different security configurations to begin with?

It's simple, said Paller. Different IT managers have different ideas about how the configurations should be set up so there are great differences agency to agency and even within the same agencies. The software vendors also are part of the problem, since they often develop applications based on different configurations.

"No one has been able to decide how to configure their own system because the application vendors forced them [into different configurations]," said Paller, noting that government contracts generally add up to about 20% of most major vendors' sales. "That's over. The application vendors must conform if they want to sell to the government."

While software vendors like Microsoft will have to change their application development process, government CIOs and chief security officers also are looking at a big job.

IT managers at the embattled agencies will have to bring all of their different systems into compliance, and deal with how that will affect all of the applications running on the systems. According to Rhodes, it's obviously going to cause some problems -- on top of the ones they're already dealing with.

"It's going to be tough," he said. "They have to inventory everything they have. First, that will be brute force pick-and-shovel stuff. Once you do a uniform reconfiguration, a lot of the unique or custom-made applications will break because you changed the underlying configuration. Maybe the software is talking to a particular application suite or a database and you've just altered the permissions in its environment."

While Rhodes pointed out that a lot of these custom-made applications are critical to the enterprise, Paller noted that other applications also may struggle with the new configuration. And he's not talking about just the 10- or 20-year-old applications. He's talking about major software pieces that were bought just two years ago, as well.

"It's a big job but in general, the guys struggling to keep up are the guys struggling with patches and testing," said Paller. "You're reducing the load on testing patches and the time the help desk spends with people because now they'll know what configuration they're on. It's a good thing that should radically reduce the pain."

Rhodes agreed that after all the work is behind the IT managers, government agencies should be safer for it. "What this will do is take away the egregious problems," he said. "It will be a step in the right direction."