Team tackles Windows 2000 security
Government, industry and academia are working together to create a secure version of Microsoft Windows 2000
Government, industry and academia are working together to create a secure version of Microsoft Corp.'s Windows 2000, one of the most widely used operating systems in government but one that has been criticized for numerous security weaknesses.
The effort, which includes the National Security Agency and the National Institute of Standards and Technology, will define a standard configuration of Windows 2000, which agencies can use when setting up systems or specify when buying computers.
Although some security flaws in Windows 2000 require software patches, others emerge depending on how administrators and users configure their systems.
NSA and NIST, working with the Center for Internet Security (CIS), the SANS Institute and Microsoft, have reached an initial agreement on a benchmark configuration that agencies can use, said Alan Paller, director of research at the SANS Institute, a security education and consulting organization.
Paller, speaking May 8 at a Senate Governmental Affairs Committee hearing on critical infrastructure protection through public/private information sharing, said the joint action on Windows 2000 would lead to testing applications to ensure they work on securely configured systems and don't require users to sacrifice usability for security.
"Their effort will lead to automation of security configuration and testing, and it will lead to procurement language that allows federal agencies and commercial organizations to order securely configured versions of Windows 2000," Paller said. "If this committee can help ensure that federal agencies use their purchasing power to acquire safer systems from the vendors using consensus benchmarks, you will have an enormous effect on federal cybersecurity."
The configuration, to be released soon, indicates settings for security features, the operating system registry, which stores configuration information and audit features, and information on patches and up-to-date fixes.
Clint Kreitner, president and chief executive officer of CIS, said a final draft should be completed and sent to Microsoft for comment by early this week. He added that because company officials were involved in the process, he hoped that it wouldn't take more than a week for them to respond.
"We definitely want to go public this month," Kreitner said. "This is a security configuration benchmark way down in the weeds for Windows 2000 professional workstations. We want to make sure that it won't interfere with any of their software that might be running" on those machines.
Sean Finnegan, security program manager for Microsoft's federal division, said the company has copies of a few earlier drafts of the benchmark and is reviewing those settings in anticipation of receiving the final copy. "We're very supportive of this effort that brings all the security minds together to determine security configurations for everybody," he said.
Finnegan said he wasn't aware of any timeline being established within Microsoft for responding to the final benchmark or making it public because "there are different people touching in different ways, and it needs to be vetted properly."
In addition to the benchmark, CIS also has made available a software tool on its Web site (www.cisecurity.org) that compares a user's current setup to a security benchmark and provides a score based on that comparison.
"This group will provide users with a security configuration benchmark and also an access tool to continually monitor the status of all their settings," he said, adding that for up-to-date patches and hot fixes, users will be directed to a Web site to obtain the information they need.
John Pescatore, research director for Internet security at Gartner Inc., said security benchmarks in general are a very good idea, but this one "is not a real big deal" because NSA, NIST and Microsoft have already issued their own Windows 2000 benchmarks.
"This is just kind of a sanding off of the slight differences between those," said Pescatore, adding that he was more enthusiastic about the CIS grading tool. "That's better than using a vendor- provided tool, which doesn't do things the way you want to do them" because it's from the same company that provided the insecure product in the first place.
The downside is that agencies and businesses still must test a costly patch "in a development environment to make sure it doesn't [disable] their other applications," he said. The ultimate goal is still for Microsoft to produce products that require fewer patches and other fixes.
The group is working on security benchmarks for Sun Microsystems Inc.'s Solaris and Cisco Systems Inc. products, said Paller, adding that "benchmarks for several other operating systems are in the pipeline."
***
Securing the premises
The National Security Agency and other organizations are developing a benchmark configuration for Microsoft Corp. Windows 2000 for agencies to use in procuring or setting up secure systems.
The configuration, expected to be released soon, will address:
* Security settings
* Permissions
* Registry settings
* Audit settings
* Patches
* Up-to-date hot fixes