IRL: Steve Adegbite
Rank: Senior Security Program Manager Lead
Likes: Reverse Engineering an obscene amount of code and ripping it up on a snowboard
Dislikes: Not much but if you hear me growl…run
Hey, Steve here. Just finally settling back in after traveling a bit, meeting up with different parts of the security ecosystem. It was good to get out and see firsthand events like CanSecWest, and most recently Black Hat Amsterdam where I met with security specialists in and around the EU. Now that I am back in the States, I have caught up on my reading. I came across this article about what the US Air Force did to ensure that every computer delivered to them was in a set and secure configuration. This is a great approach and, if you can do it, I highly recommend it because the alternative is to bolt on security at the end, and that is always costly and not fool-proof.
There is, however, a part of the article that is unclear. The article talks about how Microsoft was pressured into releasing special Windows XP versions for only the Air Force and government agencies. This is just not true.
Anyone can build their own “locked down” versions of Windows XP. They are available to anyone and everyone, not just government agencies or the Air Force. The security guidelines used as the basis of these configurations are publicly available as part of the Security Compliance Management Toolkit Series. By the way, I recently reviewed the section about securing Windows XP. These guides have been offered for some time and they are pretty good.
Regular home consumers and system administrators of enterprise IT shops can use these guides to help increase protections for themselves and their environment as part of a defense-in-depth strategy. If enterprise IT shops use these guides as a baseline for providing preconfigured workstations to their customers, or if they later configure the workstations via scripts or Group Policy Object (GPO)s to the secure baseline outlined in the guides, they would reduce a significant risk point to the enterprise by not introducing unsecure workstations to their secure environment.
A workstation can be adjusted or not adjusted depending on its use or need. This also helps with the task of configuration management as anything in the environment would be configured to an established, secure baseline that is current with security updates. Anything else is a deviation and should be segmented or investigated often to assess its security.
Another thought for Enterprise IT shops is that they use these publicly available guides to work with their procurement process, or directly with desktop hardware suppliers, to ensure that any workstation delivered or purchased comes preconfigured to this secure baseline. This saves time and worries for the IT staff because by following these guidelines, any machine joining a network is already in a semi-secure state. I say semi-secure because IT staffs would still need to ensure that the workstation has all the latest and greatest updates from Windows Update, or a corporate managed update provisioning server like WSUS..
By following these hardening guidelines, some of the security basics will be taken care of, like enforcing complex passwords by the operating system. This saves time and effort when trying to secure one’s own systems. Every little bit does help.
As I said earlier, these security configuration guides are public and located here: Security Compliance Management Toolkit Series. We would love to hear feedback on the guides. You can contact the team that created them directly at secwish@microsoft.com.
‘Till next time,
Steve
*Postings are provided “AS IS” with no warranties, and confers no rights.*