It's a bright Indian summer day in Manchester, N.H., but I won't need my sunglasses. On this day, I'm cloistered away with 21 IT professionals in a dark, windowless room at the local Holiday Inn for a hands-on tour of the Windows 2000 Professional Gold Standard security benchmark.
The idea behind the benchmark -- to establish a minimum baseline security configuration that every Windows 2000 Professional workstation should meet -- is not new. What is new is that several organizations, including the Center for Internet Security (CIS), the SANS Institute, four federal agencies and Microsoft Corp., have agreed to endorse a common security template. That fact begs the question: If everyone -- even Microsoft -- agrees that this is the absolute minimum security level that the business version of Windows 2000 must meet, why isn't this template offered with the default install?
The training session, a certificate program sponsored by the SANS Institute, has brought IT professionals from a mix of business, government and vendor organizations.
Implementing the recommended settings in the template isn't rocket science -- setting the minimum password length to eight characters, for example -- but there are about 300 specific changes that will take some time to review. Attendee Greg Owen, a senior network engineer at security consultancy Vibren Technologies Inc. in Boxboro, Mass., acknowledges that he sees nothing new here, but he views the benchmark as a positive step. "[It] should take some of the confusion out of the configuration for IT managers who don't know where to start," he explains.
The benchmark, which I download from the CIS Web site, also includes useful tools for auditing and implementing the security template. It consists of the Security Configuration and Analysis snap-in; the CIS Security Scoring Tool, which rates the relative security of the computer before and after you apply the template settings; and a benchmarking program, the Gold Standard security template, which snaps into Windows' Microsoft Management Console.
I run the analysis tool on my laptop, with its freshly minted Win 2K install. It analyzes my machine and presents a side-by-side comparison of current and recommended settings.
The task of reviewing and thinking through the 300 or so recommended settings is a challenge. For example, you don't want to deploy a template that disallows removal of the NT file system media if your company uses Iomega Jaz drives to store and transport computer-aided designs or graphics files. Fortunately, you can customize your own baseline and merge in additional template layers for specific users or groups.
Running the scoring tool is pretty slick. It tallies up points for service packs and hot fixes as well as registry settings and ranks my machine on a scale of 1 to 10. My out-of-the-box install initially comes in at an anemic 1.4. But applying the patches and template boosts my score to 9.4 -- which sounds great until the instructor reminds me that I've merely come close to reaching the minimum level of security. This makes me wonder if the relative nature of this score might be lost on some users, who may gain a false sense of security from seeing that wonderful 9.4. Certainly, no user will ever successfully secure a system by aspiring to the baseline.
But our SANS Institute instructor is quick to remind us that the template won't be effective unless it's deployed within the context of a well-thought-out security policy. The current template doesn't apply to Windows 2000 Server or Windows XP (those are in the works), it won't protect workstations from application-level issues, and it certainly won't protect against sloppy management practices.
Broad acceptance will require more than just management behavior modification -- or a nationwide SANS training tour. A requirement that all government machines use the template will help. But ultimate success will come only when the operating system's creators legitimize the Gold Standard by including it as the default enterprise security template with Windows 2000 Professional. Microsoft says its goal is to have one consistent set of security templates. Surely, the Gold Standard should be part of it.