Can you make Windows XP so secure that the United States Air Force will use it in its systems? Well, apparently, you can, but you do have to talk to Microsoft. The USAF wanted a locked-down edition of Windows XP, and since they were in the midst of renegotiating the desktop-software contract with Microsoft, they decided to ask Steve Ballmer directly to create it for them. They did.
Former CIO of the Air Force, John Gilligan, spoke with Threat Level to explain how the USAF made all this work. It all started with the NSA, which performed several penetration tests on the Air Force network back in 2003. These tests showed that the network was a swiss cheese, and that “more than two-thirds of their intrusions were possible because of poorly configured software that created vulnerabilities”. In some cases, it were features that were never locked down because they had never been used, and in other cases it were features that were locked down, only to become vulnerable later (for instance, it needed to be re-installed but patches were never re-applied).
So, the USAF talked to Ballmer, and the CEO actually got personally involved in the project. “He has half-a-dozen clients that he personally gets involved with, and he saw that this just made a lot of sense,” Gilligan said, “They had already done preliminary work themselves trying to identify what would be a more secure configuration. So we fine-tuned and added to that.”
The USAF worked together with several other agencies and Microsoft to create a single secure and locked down configuration of Windows XP. They changed the way administrator passwords were handled, but Microsoft also implemented “automated tools to update patches and to detect and prevent someone from altering the configuration”. Overall, more than 600 settings were locked down.
This single locked-down configuration brings several advantages to the USAF, most importantly the ability to install patches within 72 hours instead of 57-100 days. Since they’re now using a single, consistent configuration, a lot less testing is involved when it comes to new patches. This testing is now done by Microsoft, and not by the USAF itself.
The USAF began installing this on systems in 2005 and finished in 2007. They also demand that vendors pre-load this configuration to make these systems secure out-of-the-box. The USAF saved 100 million USD because they now buy a single configuration instead of having 30 different contracts.
So, how secure is this system? Gilligan said that 85% of attacks are blocked by the new configuration. “Turns out when you configure things properly and don’t touch them, they actually work pretty well,” he added. The Air Force configuration is now in use in many other departments because it has been such a success.
Gilligan also said tat he hopes that this project marks the beginning of the end of companies arrogantly resisting locking down their products. “They’re still in the model that they want to give all the features enabled to clients,” he said, “But I think we’ve reached a point where that model is one that is no longer effective. I’m of the opinion that all products ought to be configured with these locked-down configurations, and if the customer decides they want to undo them, then they can do that. They cannot continue fielding products where the cost that is being borne by the consumer in terms of having to maintain configurations and deal with attacks is so high.”
Don’t know how what I should think about this.
There are two points that annoy me:
– XP is 10 years old, it’s damn old technologie for the air force
– Microsoft says vista is more secure in every point. I think a locked-down vista would be more secure. You can’t take windows 98 and say “it’s locked down, it’s more secure than XP” because there are technologies that are just missing in the older operating system.
Did you see the time frame? This project was started WAY BEFORE Vista got out. Changing operating systems is not something to be taken lightly for such an important institution as the USAF, where lives may be at stake.
In addition that that, Windows XP might be old, but it IS tried and true by now. In addition, I’m sue Microsoft backported some of Vista’s security features to this special version of Windows XP.
Edited 2009-05-03 09:42 UTC
Well given the fact it takes about 10-15 years to deploy a new weapons system, the fact they are using XP and not DOS is A+
If lives may be at stake, then why use their products in the first place?
I took a look at the NIST site for this program when I first saw this news item. I don’t think there’s any code change involved here (though the USAF and other militaries probably get wind of patches and known security issues before the general public). What these guys have is a specific security template, a system convert between an XML security description language and a set of actions to change the system configuration, and a set of policies specified in that XML language. The configuration system applies to Vista as well (there are policies available on NIST’s site for both OSes).
Or the other way around, they created this first and used it as a base for Vista.
I believe Windows Server 2003 was the base for Vista.
Yes, that’s what they say. But it’s all from the marketing department.
Loser boy Gilligan is ancient history. Vista is the current standard configuration and it’s at the federal level. All you need is one image of a standardized configuration, so without writing any additional code, it happened. Everyone is put into the “user” category and essentially no executables will run and anything with the associated shield cannot be changed without admin privs. Every day the grass is mowed anyway so if your configuration doesn’t match what it’s supposed to be your box gets reset. As for his comment about “arrogant apps”, Gilligan’s an arrogant ass, seeing as how he’d go to money bags Ballmer but not to help others design software compatible to the configurations. So, bottom line is that there’s no code written that gives the g-men/babes access to your system. The Chinese and Russians are probably already in your box anyway.
why Microsoft is able to get away with basically anything they want to here in the US, and got off with a slap on the wrist with regards to their monopolistic bs.
Here’s the U.S, everyone, in all its corporate glory. Get a good look, and spit in disgust.
On top of that… what’s next? Microsoft is personally involved with the government. Now, call me paranoid if you wish–and you may very well be right–but it’s not that far of a stretch to move from building a special, locked down version for the government to building certain… shall we say… unlocked points into everyone else’s system in the name of security of the state, is it? That assumes, of course, that it hasn’t happened already. The whole NSAKEY thing was basically dismissed as conspiracy and perhaps that was… or was it? Who can tell.
I cannot help but be concerned at such a close partnership between branches of our military and government (which has taken some alarming steps in recent years) and a company that violates many of our own antitrust laws in spirit even if not convicted and also has a vested interest in control of their own sort to insure their dominant position. A very dangerous combination in my opinion.
Edited 2009-05-03 10:18 UTC
Well, if you’re going to go that far you’ll have to avoid Linux too; the NSA is responsible (at least originally) for the SELinux security systems within the kernel.
Yes, but at least we can view the source.
I pray to every god ever conceived by the fearful mind of man that the USAF and the US.gov were smart enough to demand FULL source access – and then build their OWN copy of the OS. OR at least have code audits to check for back doors! I would NOT want to entrust my security to one company that did not divulge the source for its products.
This is the government, they should have build & process auditing as a standard stipulation of attaining a government contract – regardless of product.
–The loon
Microsoft does have programs for source access for partners and academia
http://en.wikipedia.org/wiki/Shared_source
Build and process auditing are irrelevant (not to mention a bit weird), but I agree that they should be at least EAL 4 (Methodically Designed, Tested, and Reviewed) certified.
I worked in OpenVMS Security and the Gov’t approval process is very long and drawn out. I do not remember whether or not they are allowed access to anything they want, but the product must meet standards set forth by the gov’t for approval process. It was a long time ago, but I DO remember people sweating for many months at a time just for point releases. But who knows if things have changed.
Yeah. But if the NSA is spying on us that way it’s only Fedora and Red Hat users that are in danger.
SELinux has been in mainline for a while now.
Both internal and external apps were so poorly programmed that it took them two years to lock everything down. Long live closed source products!
“It then took two years for the Air Force to catalog and test all the software applications on its networks against the new configuration to uncover conflicts. In some cases, where internally designed software interacted with Windows XP in an insecure way, they had to change the in-house software.”
Really, I am not sure this article says all that much that is positive about Microsoft or the Airforce, other than if you spend lots of time fixing a configuration, you may be able to improve it.
A product should be secure out-of-the-box.
Why XP, why not CE?
http://en.wikipedia.org/wiki/Windows_CE
I agree
Problem: Windows XP ships with default options that make it insecure.
Problem: Air Force IT guys tried to set secure options, but all of them had a different idea of what was secure.
Problem: Sometimes security was compromised by Air Force IT guys because other software required insecure options.
Problem: Different security options made internal testing of security patches time consuming.
Solution: The military decided to standardize security related setting from the top down.
Upside: Internal testing of security patches is much faster.
Upside: IT guys had a mandate to get rid of software that required insecure options.
Upside: Everyone now knows (rather than thinks) their system is secure.
Upside: Microsoft now ships a secure by default configuration to the Air Force and it’s suppliers.
Conclusions:
(At least to me.)
Microsoft has created a secure product, even in XP.
Secure products don’t sell, so they plaster on insecure features.
Secure products don’t sell, so they made it more convenient by using insecure defaults.
Microsoft finally found a customer who was willing to pay for security above features and convenience, so they cleaned XP up for them.
I think you got it exactly right. This is more about configuration than about the design or inherent vulnerabilities.
Newer OSes than XP have a different view of the world and have come more locked down by default.
You are closest in your analogy, except the IT guys aren’t mandated to get rid of software.
Microsoft did not create anything different from what is on the OS CD.
Folks go through the entire OS and essentially flick switches until they come up with the configuration they want.
There are several billing levels, the single consumer at one while bulk is at another.
If one of your customers has a couple million licenses, it makes good business sense to insure that big paying customer’s requirements are met.
It’s not that secure products don’t sell… it’s that people want their software to work and all the flashy features turned on. Since most software out there was programmed with the notion of having full control of the PC, and did many things it shouldn’t, it’s been a pain for MS to move towards a secure system.
But they have been doing it, they cleaned up the system more with XP and locked it down more with Vista… there are annoyances, but those will be polished and we will get more used to it. Soon we won’t notice it anymore as the extra steps will be normal.
[It’s funny that people get annoyed about Vista’s UAC dialog coming up all the time, but in Linux you need to enter your password to do administrative stuff, including installing software]
> [It’s funny that people get annoyed about Vista’s UAC dialog coming up all the time, but in Linux you need to enter your password to do administrative stuff, including installing software]
I think that UAC complaints are both fair and unfair to Vista. In Vista, it gives the definite impression of being an after-the-fact add-on because you often have to go through a couple of layers of dialog boxes just to confirm an action. I’ve never seen that behaviour on Ubuntu or Mac OS X. It is also worth questioning the effectiveness of this process, because they only ask you to click a button when you are performing an administrative action from the administrative account (which is going to be the default account in setting where security isn’t an issue, like in homes or small offices). That means it’s easy to confirm something through an act of habit.
I’m also not convinced that UAC would help security in a military type environment. UAC is there to make privileged operations more convenient to complete by negating the need to work in an administrative account (which is what I had to do in Linux systems way back then). That’s great for homes and small offices where people want to fiddle around with such things at will. But military systems shouldn’t require that degree of privileged intervention. Indeed, part of the purpose of this specialized Windows distribution appears to be the creation of a standardized system. So you don’t want too many priviliged operations taking place that will make that standardized system non-standard.
If all it asks you to do is click a button, you are running under the administrators group, which you should not be doing. Vista asking you to hit OK is like running as root on linux, the only difference is that the admin tolken doesn’t get implicitly passed to any action you take. If you run as a non admin, you will get a box asking you to enter the credentials of someone who is an admin.
There is also a lot more then UAC to Vista’s security improvements over XP. UAC is just what end users tend to encounter.
Software can be installed anywhere you like. Administrating the system through the package manager then again is a job belonging only to the system administrator.
Hi,
I think the NSA Guides are a _really_ good starting point to make your Windows secure. Microsoft should suggest it everywhere:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operat…
But I guess home users could block about 90% of attacks with automatic updates, disables javascript and text only emails.
And then there’s the usual suggestion of using some other OS and perhaps) hardware that actually has been designed to deal with these issues in mind from the beginning.
If this was started in the late 90’s, at that time sun was probably a runner up. The problem was that sun was charging 5-10x as much for hardware that never was as fast as its more mainstream competition.
What a lot of people seem to forget is that XP is based upon NT and that NT was designed with security in mind. Microsoft may have botched it through both implicit decisions (such as bad coding) and explicit decisions (such as making it more marketable), but that doesn’t mean that XP isn’t salvagable.
There are other factors to consider here. The article mentioned taking advantage of technology that trickles down to them, rather than succumbing to NIH syndrome. That means two things: they now have hundreds of millions of people offsetting their costs, and hundreds of millions of people doing basic testing for them. Which is a heck of a lot better than the government spending billions of dollars to reinvent the OS, something which will never benefit anyone outside of the military.
Another advantage of using a broadly deployed technology is access to skilled labour. The military themselves may be able to get away with training their own personelle. (Or maybe not. It depends upon the scope of skills needed.) Military contractors would have a much harder time. So it is an issue on at least one end, and maybe both.
They’re making it sound like more than it really is. This isn’t some re-engineered version of XP. You can greatly increase the security of Windows my ensuring it’s patched and changing some configuration options. Many large companies do this and make a more secure base image to install on all PCs. The Air Force had been doing that as well, the only difference was that before it was at the base, maybe MAJCOM level, and now it’s merely a single image for the whole Air Force. Also, this isn’t just an XP thing, it’s been out for a while. The Air Force is now in the midst of rolling our SDC 2.0, which is Vista-based.
If the Virtual Windows XP image that is comming with Windows 7 is pre locked down ?
…I’m still amazed by the fact that more U.S. Government agencies aren’t adopting OpenBSD as their O.S. of choice. If the damned thing needs to be secure, why screw around with anything else? It’s pretty hard to argue against OpenBSD when it comes to security, because this O.S. is built and coded with this exact principle in mind.
Each operating system excels at something, and OpenBSD is the King of Security.
I disagree, who would support all the different apps to get openBSD setup as a desktop OS, X, the GUI, all the other apps, openBSD people? I don’t think so, I think that might be a worse nightmare to implment openBSD at the time compared to XP.
Sure openBSD will be pretty locked down with defaults and no X, but seriously you think the AF is gonna move their people back to no GUI and retrain everyone?
We have a financial crisis and they have no money to invest in new software. My GOD!
Hah! And like that would stop them if they had their minds set on it? Look at everyone we’re bailing out even though we don’t have the money to waste… I’d say we’re wasting plenty already. To be honest, if it came right down to it, I’d rather see it wasted on our own government than on businesses who should be reaping the consequences of their poor decisions rather than lining up for handouts and at the same time pulling us deeper into a hole. If you make poor decisions as a business, you fail. Why are we going out of our way to avert the idiots receiving the proper consequences for their idiocy?
Because those “idiots” control the government.
All of this sounds like part of a story line from Tom Clancy. All we need now is for those big bad Reds, ie China, to find the remaining loopholes and exploit them.
Edited 2009-05-04 11:11 UTC
Regardless of Windows’ merits, why they use Windows is basic IT history.
Yes, they are locked into a Windows environment and that arose from the move away from green screen terminals to distributed, client-server networks with affordable desktops. Just like every other major enterprise, it got away from them, with each unit running its own purchasing and administration with all that entailed. The USAF made a concerted effort to manage their assets, just like most other large enterprises have been doing over the last few years.
In the mid-90s when the client-server concept was going like gangbusters, Linux wasn’t a real player, and OS 7/8/9 was unsuitable for the enterprise. Like it or not, Windows systems, dominating the IBM office compatibles, are the foundation of the systems most enterprises use today.
When people say “just scrap it and throw it all away” they only reveal their ignorance. Even if all the software were free, the scale of the effort would probably cost more than Iraq and Afghanistan combined.
Conservatively.
Used DOS, first versions of windows, loved Win95, didn’t see any need for Win98, then finally moved to XP and found it would install just about anything. After 10K of apps later I was surprised when a new Vista machine couldn’t do what XP could. So to put food on the table I stuck with XP.
Is this more secure (or “locked down”) version of XP available to us long time users? Would it be of any value or a more difficult GUI to use?
Have some official name?
Downloadable?
http://[email protected] Thor