[ISN] Air Force to standardize Microsoft configurations

InfoSec News isn at c4i.org
Fri Nov 26 01:13:49 EST 2004


Forwarded from: matthew patton <pattonme at yahoo.com>

--- InfoSec News <isn at c4i.org> wrote:

> http://www.nwfusion.com/news/2004/1119airforce.html
> 
> By Ellen Messmer
> Network World Fusion
> 11/19/04
> 
> The U.S. Air Force early next year will require its 525,000 personnel
> and civilian support staff to use a single and specially configured
> version of Microsoft's operating system and applications, said the
> military department's CIO.

right, so if "configured with security in mind" is defined the same
way DISA/USAF/USNAVY have defined "secured windows OS configuration"
then I seriously doubt they've accomplished anything really
productive. I'd settle for Office2004 fitting inside 50MB. That would
kill 90+% of the features that are unneeded cruft anyway and which
cause most of the problems. And then I wouldn't have to worry about
arcane voodoo to "secure" something that is as out of control as MS NT
let alone Office.

But from an attacker's standpoint I couldn't be more DELIGHTED at the
prospect of taking down all 525,000 users with one hole. Afterall,
instead of an ecosystem of varying configurations, I can come up with
one hole to rule them all. (Lord of the Rings reference) WHEN OH WHEN
will they learn that a single image is a lousy idea? I don't mean to
imply that we shouldn't have guidelines and group policy objects that
have a modicum of teeth to them but this is just begging for disaster
IMO.

For some reason whenever I design a GPO or strip an NT system (win2K
etc are just NT) my users bellyache about stuff not working like it
used to. I like to respond with, "well, you have no business doing
that as your normal user account. And if some piece of software is so
poorly written that it doesn't work now, go beat the vendor's door
down and demand they fix their bleeping product!" Hasn't been an
entirely popular stance for some reason. Can't imagine why...

Instead of negotiating 30+ contracts down to 2, I have a much more
useful bargaining chip. "The US Air Force (neigh the entire DoD) will
forthwith refuse to use windows in any form until you Microsoft can
fit it inside 100MB and strip it of every service and feature not
absolutely inseparable from the core functions of an OS as defined as
filesystem storage, memory allocation, process control, and basic UI.
The list of immediate rejection criteria includes even the smallest
vestiges of Internet Explorer. Ok, maybe 100MB is too small but a
fully fledged Linux box runs on 60MB or less. Barebones X11 adds a bit
more.

> "We're spending more money patching and fixing than buying
> software,"

Yo USAF, in case you missed the memo, the rest of the IT World has the
same issue.

> "We want Microsoft focused not on selling us products but to enhance
> the Air Force in our mission," said Gilligan, adding that he hoped
> the new effort would lead to the kind of support Microsoft could
> provide other organizations in the future.

"Hope"? That's all you guys got out of Balmer? Why don't we spring for
DEMAND and HOLD FEET TO THE FIRE instead?

> determined the transition costs would simply be too high.

probably true. Windoze admins who grace the ranks of gov't help desks
are more often than not, not exactly of superior quality. And many
have the utmost fear of anything CLI.





More information about the ISN mailing list