US government to insist PCs are secured

Move may make it easier to run locked-down systems

The U.S. federal government has launched a program that will require federal agencies to insist on security standards from suppliers, a move that some argue will have a far-reaching impact on most large and medium-sized organizations buying PCs.

The government confirmed the move in a memo late last month and will roll the program out in several stages during the course of this year. By Feb. 1 of next year, all federal agencies will be required to use secure software configurations when they deploy Windows XP or Vista.

The scheme matters to the outside world because software suppliers who want to sell to the U.S. government will have to certify that their equipment works on operating systems set up to work securely, said Alan Paller, director of research at the Sans Institute security research center, in a recent memo.

Currently organizations never know if securely configuring Windows will break their applications. The new U.S. government program could make things simpler for IT managers by providing clearly understood standard security configurations that are backed up by the federal government's purchasing power, Paller said.

"It provides the incentive (US$65 billion) in U.S. government IT purchasing each year) and confidence (agreed upon configurations) to allow every software vendor to ensure and affirm the software they sell works on the secure configurations," he wrote. "That takes the pain out of secure configuration and rapid patching."

Paller said secure configurations could slow the spread of botnets, reduce patching delays and stop many attacks directly.

"This initiative will affect every medium and large buyer of computers running Windows software," Paller wrote.

Other industry observers have cautioned against considering secure configurations a panacea. Indeed, Microsoft's attempt to make Vista more secure by default has met with a rocky debut, with widespread criticisms of its implementation of User Account Control (UAC).

UAC is designed to allow user accounts on Windows to run as non-administrators by default, but has introduced so many additional problems that some have said it is worse than useless.

Many of the secure features of Vista are also features of the US government's recommended secure configuration for Windows XP. The configuration recommends, for instance, running the system with limited user privileges, switching off automatic launching of Java, JavaScript and ActiveX applications and requiring security utilities.

"These configurations were developed in collaboration with the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and Microsoft," wrote Karen Evans, administrator with the Office of E-Government and Information Technology, in the memo last month. "These same organizations recently established common security configurations for Microsoft Vista."

On April 11 federal chief information officers will be briefed by the Air Force, which has been piloting secure configurations. Later in the month the government will begin making securely configured images available.

The federal Office of Management and Budget (OMB) memo on the new program is available from the White House's website.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about BillionDefense Information Systems AgencyDISAMicrosoftNational Security AgencyNSAOffice of Management and BudgetSANS InstituteThe SANS Institute

Show Comments