Friday, May 1, 2009

Microsoft Helps Air Force Create Secure Windows XP Configuration

Via -

It’s the most secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days. The only problem is, you have to join the Air Force to get it.

The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as an template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.

Security experts have been arguing for this “trickle-down” model for years. But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.

Threat Level spoke with former CIO of the Air Force, John Gilligan, to get the details.
Gilligan, who served as CIO of the Air Force from 2001 to 2005 and now runs
a consulting firm, said it all began in 2003 after the NSA conducted penetration tests on the Air Force network as part of its regular testing of Pentagon cybersecurity.

NSA pen-testers made Swiss cheese of the network, and found that more than two-thirds of their intrusions were possible because of poorly configured software that created vulnerabilities. In some cases, the culprit was an operating system or application that came bloated with unsecured features that were never re-configured securely by Air Force administrators. In other cases, systems that were configured securely became vulnerable later (for instance, when a system crashed and original software was re-installed without patches that had been on the system before the crash).

“It was really an easy target,” Gilligan says. “All the NSA had to do was scan the network.”
The Air Force, on the verge of renegotiating its desktop-software contract with Microsoft, met with Ballmer and asked the company to deliver a secure configuration of Windows XP out of the box. That way, Air Force administrators wouldn’t have to spend time re-configuring, and the department would have uniform software across the board, making it easier to control and maintain patches.

Surprisingly, Microsoft quickly agreed to the plan, and Ballmer got personally involved in the project.

“He has half-a-dozen clients that he personally gets involved with, and he saw that this just made a lot of sense,” Gilligan said. “They had already done preliminary work themselves trying to identify what would be a more secure configuration. So we fine-tuned and added to that.”

The NSA got together with the National Institute of Standards and Technology, the Defense Information Systems Agency and the Center for Internet Security to decide what to lock down in the Air Force special edition.

Many of the changes were complex and technical, but Gilligan says one of the most important and simplest was an obvious fix to how Windows XP handled passwords. The Air Force insisted the system be configured so administrative passwords were unique, and different from general user passwords, preventing an average user from obtaining administrative privileges. Specifications were added to increase the length and complexity of passwords and expire them every 60 days.

It then took two years for the Air Force to catalog and test all the software applications on its networks against the new configuration to uncover conflicts. In some cases, where internally designed software interacted with Windows XP in an insecure way, they had to change the in-house software.


In addition to the secure configuration, they also got Microsoft to install automated tools to update patches and to detect and prevent someone from altering the configuration.

Having a single configuration across the network greatly reduced the time it took to patch systems. Gilligan said it used to take the Air Force well over 100 days to install patches after new vulnerabilities were discovered, because the military’s network administrators had to test the patches against multiple configurations. Emergency patches that needed to be installed post-haste took 57 days to install, leaving systems vulnerable to intruders during that time.

“Once the flaw was known, then those who wanted to attack our systems could be developing attacks in that time,” Gilligan said.


But with a single configuration, all that testing is now done by Microsoft before it releases a patch, saving the Air Force time. An added benefit of the new configuration was a 40 percent drop in the number of calls to Air Force help desks.

“Turns out when you configure things properly and don’t touch them, they actually work pretty well,” Gilligan said.

The Air Force began the project in 2005 and finished installing the new configuration on systems in 2007. In contracts with hardware providers it demanded that vendors pre-load the special Windows XP configuration onto systems before delivering them to the Air Force.

The USAF saved $100 million on a five-year license agreement with Microsoft by consolidating more than 30 contracts — made possible by the fact that it was now able to buy a single standard configuration.

Most importantly, security of the system improved. Gilligan said 85 percent of attacks were blocked after the configuration was installed.

No comments:

Post a Comment