U.S. military to standardize Windows hardening
The lede of today’s SANS Newsbites claims that the U.S. military is about to start using standardized "secure configurations" of Windows operation systems across all services:
"Over the next several weeks, you’ll begin to hear about US military services standardizing on secure configurations of common operating systems (VISTA and XP to start) (1) so they can avoid costs and errors of tens of thousands of sites doing their own hardening, (2) so they can get the operating system vendors to test patches on the standard configurations before releasing them – so patches can be installed much more quickly, and (3) so they can ensure application vendors deliver software that doesn’t force configuration changes that conflict with their standard configuration."
If true it’ll be interesting to see how successful the initiative is. The article implies that the "secure configurations" used will be the well-known benchmarks published by the SANS-related Center for Internet Security. The article also claims that civilian government branches "will quickly take advantage of the work done by DoD", but that may be only wishful thinking.
Adopting specific baselines for system hardening sounds like a good idea. I’ve used the CI Security benchmarks over the years and in general they cover the basics. Where I find them most useful, though, is as a seemingly authoritative source I can point to, such as when support staff scream that my system hardening recommendations are "baseless, unprecedented, and will make every application completely unusable," which seems to happen a lot.
The security standardization efforts throughout the U.S. Government are in dramatic contrast to the approach of the Canadian federal government. The most recent security push here in Canada was that all federal departments were to comply with the MITS standard by December 2006. However, rather than being a set of policies and baseline standards for everyone to follow, MITS is a loosely defined framework that each department is to use to develop their own policies and standards. Loose as it is, there is no auditing… departments are "compliant" if they say they are.
Of course forcing narrow technical standards also has drawbacks. Every organization uses different products and have to accommodate various mixes of legacy and custom-developed apps. A technical mandate like "thou shalt only use NTLMv2 authentication for Windows" just isn’t viable in every environment.
Then there are the risks of everyone having exactly the same settings… a hardening monoculture. Adopting baseline settings for Windows means less re-invention and helps ensure the basics are covered, but omissions in the baseline means identical vulnerabilities across all organizations. Also, the baseline has to evolve as new vulnerabilities are discovered and new variants of the multitude of Windows operating systems are released… governments tend to take their time with standards, and may not be able to keep up as service packs and new Windows variants are released.
Individual departments are also extremely reluctant to modify settings specified from "on high", even when a worm is rampaging though the network by exploiting a vulnerability in those settings. Tying vendor patches and application compliance to the baseline, as the SANS story claims, will increase that reluctance.
Related posts:
- Windows gets a real shell
- Hardening DNS with the Cymru Secure BIND template
- The most important Windows security tool
Tags: security standards, standards, system hardening, windows, Windows security
2 Responses to “U.S. military to standardize Windows hardening”:
March 6th, 2007 at 2:57 am
SANS and CIS are certianly great places to get Windows hardening guidance, as is NSA. But don’t forget Microsoft’s own security guides for Vista at http://www.microsoft.com/technet/windowsvista/security/guide.mspx and XP at http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx – both of which are quite useful.
Ultimately any security guidance must be customized for your personal balance between security and usability. All of these provide great starting places to either tighten or loosen security based on your specific needs. Webber, you’re right on with the “”thou shalt only use NTLMv2 authentication for Windows” just isn’t viable in every environment.” comment. While that might work for me, it wouldn’t work for many other folks.
November 30th, 2008 at 11:02 am
[...] one level, it is scary, but on another, very interesting to see what happens, how the US and others harden their systems, and in general, how serious it is taken. I find myself thinking that [...]