Team tackles Windows security

Government, industry and academia have teamed up to secure the most popular type of system being deployed on servers in the public and private sectors: Microsoft Corp.'s Windows 2000.

The National Security Agency and National Institute of Standards and Technology, in cooperation with the Center for Internet Security, the SANS Institute and Microsoft, have reached an initial agreement on a benchmark for securing Windows 2000 computers, said Alan Paller, director of research at the SANS Institute, a security education and consulting organization.

Paller said the joint action on Windows 2000 will lead to testing applications to ensure they work on securely configured systems and don't require users to sacrifice usability for security.

"Their effort will lead to automation of security configuration and testing, and it will lead to procurement language that allows federal agencies and commercial organizations to order securely configured versions of Windows 2000," Paller said, speaking May 8 at a Senate Governmental Affairs Committee hearing focused on critical infrastructure protection through public/private information sharing,

The NSA/NIST-led group also is working on security benchmarks for Sun Microsystems Inc. Solaris and Cisco Systems Inc. systems, Paller said, adding that "benchmarks for several other operating systems are in the pipeline."

He said that once the benchmarks are shared and tools become available to test systems, defending the nation's critical infrastructure will be made easier, especially when it comes to:

* Distributing patches.

* Stopping worms.

* Fixing infected systems (because there will be fewer of them).

* Stopping distributed denial of service attacks (because there will be fewer victims to use).

"If this committee can help ensure that federal agencies use their purchasing power to acquire safer systems form the vendors using consensus benchmarks, you will have an enormous effect on federal cybersecurity," Paller said.