Feds endorse guide for Windows security

New benchmarks published last week by a broad coalition of federal and private organizations could vastly improve the security of systems throughout government agencies, experts say.

The first step in that process is a set of security configuration recommendations called Consensus Baseline Security Settings for Microsoft Corp. Windows 2000 Professional. They are designed to help agencies ensure that their Windows-based workstations are properly configured to protect against external and internal cyberattacks.

Moreover, this initiative could serve as a model for future benchmarks that could be applied to other network protocols and systems, proponents say.

Predefined security settings will take some of the burden of securing systems off the shoulders of overworked systems administrators, who also may lack an in-depth knowledge of network security, said John Gilligan, chief information officer for the Air Force.

"Increasingly, software products are [becoming more] complicated with large numbers of settings," Gilligan said. "Often, administrators have to set the software for security. Putting this extra burden on over-tasked systems administrators who don't have the proper [security] insight is not the way to go."

Too often, security breaches in both the public and private sectors are caused by software running on network devices that have not been configured with appropriate security settings or lack the latest fixes and updates that would prevent new security vulnerabilities. About 80 percent of the successful penetrations of government systems are due to attackers exploiting vulnerabilities, Gilligan said.

The baseline security settings "give systems administrators the tools to implement standards that can be easily updated as they learn about new threats," said Richard Clarke, special adviser to the president for cyberspace security. The collaboration also demonstrates how the proposed Homeland Security Department should unfold, he added, with the private sector and government working together to protect the nation's critical infrastructures.

Agencies can protect their systems by downloading the benchmarks, free of charge, from the Center for Internet Security (www.cisecurity.org).

All Air Force installations will deploy the benchmark and scoring tool, Gilligan said, adding that all CIOs in the federal government should plan on doing so, though their participation is not mandated.

"I would also endorse continuation of the collaboration [between federal agencies and the private sector] to address a broader set of products" for the future, he said. Results of this collaboration can be shared with software vendors, so off-the-shelf software will conform to the security baselines, he added.

***

Windows lockdown

The Consensus Baseline Security Settings for Microsoft Corp. Windows 2000 Professional workstations were developed and endorsed by a broad group of Windows security experts from key government and industry organizations.

Participants included:

* General Services Administration

* National Institute of Standards and Technology

* Defense Information Systems Agency

* National Security Agency

* SANS Institute

* Center for Internet Security