[Infowarrior] - MS offers Secure Windows … But Only to the Government

Richard Forno rforno at infowarrior.org
Sat May 2 02:28:55 UTC 2009 

Microsoft Offers Secure Windows … But Only to the Government

     * By Kim Zetter Email Author
     * April 30, 2009  |
     * 11:50 pm  |
     * Categories: Cybersecurity

http://www.wired.com/threatlevel/2009/04/air-force-windows/

It’s the most secure distribution version of Windows XP ever produced  
by Microsoft: More than 600 settings are locked down tight, and  
critical security patches can be installed in an average of 72 hours  
instead of 57 days.  The only problem is, you have to join the Air  
Force to get it.

The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with  
a secure Windows configuration that saved the service about $100  
million in contract costs and countless hours of maintenance. At a  
congressional hearing this week on cybersecurity, Alan Paller,  
research director of the Sans Institute, shared the story as a  
template for how the government could use its massive purchasing power  
to get companies to produce more secure products. And those could  
eventually be available to the rest of us.

Security experts have been arguing for this “trickle-down” model for  
years.  But rather than wield its buying power for the greater good,  
the government has long wimped out and taken whatever vendors served  
them. If the Air Force case is a good judge, however, things might be  
changing.

Threat Level spoke with former CIO of the Air Force, John Gilligan, to  
get the details.

Gilligan, who served as CIO of the Air Force from 2001 to 2005 and now  
runs a consulting firm, said it all began in 2003 after the NSA  
conducted penetration tests on the Air Force network as part of its  
regular testing of Pentagon cybersecurity.

NSA pen-testers made Swiss cheese of the network, and found that more  
than two-thirds of their intrusions were possible because of poorly  
configured software that created vulnerabilities. In some cases, the  
culprit was an operating system or application that came bloated with  
unsecured features that were never re-configured securely by Air Force  
administrators. In other cases, systems that were configured securely  
became vulnerable later (for instance, when a system crashed and  
original software was re-installed without patches that had been on  
the system before the crash).

“It was really an easy target,” Gilligan says. “All the NSA had to do  
was scan the network.”

The Air Force, on the verge of renegotiating its desktop-software  
contract with Microsoft, met with Ballmer and asked the company to  
deliver a secure configuration of Windows XP out of the box. That way,  
Air Force administrators wouldn’t have to spend time re-configuring,  
and the department would have uniform software across the board,  
making it easier to control and maintain patches.

Surprisingly, Microsoft quickly agreed to the plan, and Ballmer got  
personally involved in the project.

“He has half-a-dozen clients that he personally gets involved with,  
and he saw that this just made a lot of sense,” Gilligan said. “They  
had already done preliminary work themselves trying to identify what  
would be a more secure configuration. So we fine-tuned and added to  
that.”

The NSA got together with the National Institute of Standards and  
Technology, the Defense Information Systems Agency and the Center for  
Internet Security to decide what to lock down in the Air Force special  
edition.

Many of the changes were complex and technical, but Gilligan says one  
of the most important and simplest was an obvious fix to how Windows  
XP handled passwords. The Air Force insisted the system be configured  
so administrative passwords were unique,  and different from general  
user passwords, preventing an average user from obtaining  
administrative privileges. Specifications were added to increase the  
length and complexity of passwords and expire them every 60 days.

It then took two years for the Air Force to catalog and test all the  
software applications on its networks against the new configuration to  
uncover conflicts. In some cases, where internally designed software  
interacted with Windows XP in an insecure way, they had to change the  
in-house software.

“We started to put discipline into what people were fielding in the  
way of applications,” Gilligan said. “It required a lot of senior- 
level attention because this was not something that the IT guys were  
happy about. We were taking control from them and forcing them to make  
modifications in systems. But the benefits were huge because now the  
Air Force knows what is fielded; they know all the applications that  
run against a certain configuration.”

In addition to the secure configuration, they also got Microsoft to  
install automated tools to update patches and to detect and prevent  
someone from altering the configuration.

Having a single configuration across the network greatly reduced the  
time it took to patch systems. Gilligan said it used to take the Air  
Force well over 100 days to install patches after new vulnerabilities  
were discovered, because the military’s network administrators had to  
test the patches against multiple configurations.  Emergency patches  
that needed to be installed post-haste took 57 days to install,  
leaving systems vulnerable to intruders during that time.

“Once the flaw was known, then those who wanted to attack our systems  
could be developing attacks in that time,” Gilligan said.
gilligan_jm

Former Air Force CIO John Gilligan

But with a single configuration, all that testing is now done by  
Microsoft before it releases a patch, saving the Air Force time. An  
added benefit of the new configuration was a 40 percent drop in the  
number of calls to Air Force help desks.

“Turns out when you configure things properly and don’t touch them,  
they actually work pretty well,” Gilligan said.

The Air Force began the project in 2005 and finished installing the  
new configuration on systems in 2007. In contracts with hardware  
providers it demanded that vendors pre-load the special Windows XP  
configuration onto systems before delivering them to the Air Force.

The USAF saved $100 million on a five-year license agreement with  
Microsoft by consolidating more than 30 contracts — made possible by  
the fact that it was now able to buy a single standard configuration.

Most importantly, security of the system improved. Gilligan said 85  
percent of attacks were blocked after the configuration was installed.

“Once you get the standard configuration, then it becomes a much  
harder target to attack,” Gilligan said. “I will not say that the Air  
Force cannot be penetrated, but the incidents have decreased. The hope  
is that those who are defending the networks can focus their energies  
on a smaller set of vulnerabilities and more sophisticated attacks. It  
dampens out the low-hanging fruit and the easy attacks.”

The project was so successful that it became the foundation for the  
government’s Federal Desktop Core Configuration program, which was  
mandated last year by the White House’s Office of Management and  
Budget to improve the security of government systems across the board.  
Gilligan said other departments have started with the Air Force  
configuration and modified it slightly to fit their unique needs and  
applications.

He said the next step is to expand the project to other software  
products, such as database management systems. He added that he’s  
confident the Microsoft example marks the turning of the tide against  
vendors that arrogantly resist locking down their products.

“They’re still in the model that they want to give all the features  
enabled to clients,” he said. “But I think we’ve reached a point where  
that model is one that is no longer effective. I’m of the opinion that  
all products ought to be configured with these locked-down  
configurations, and if the customer decides they want to undo them,  
then they can do that. They cannot continue fielding products where  
the cost that is being borne by the consumer in terms of having to  
maintain configurations and deal with attacks is so high.”

What this means for the rest of us is unclear. Threat Level contacted  
Microsoft to find out if any part of the locked down Windows XP  
configuration got into general consumer versions of the software or  
has influenced how it configures future versions of its software. The  
company did not respond.

Top image: Brigadier General Gary T. Magonigle and Colonel Brian  
Dravis present Steve Ballmer with a plaque showing the Air Guard’s  
appreciation for Microsoft’s support of Guards and Reservists. (United  
States Air Force photo by Tech. Sgt. Douglas Olsen)

More information about the Infowarrior mailing list