Feds endorse guide for Windows security

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0722/pol-win-07-22-02.asp

By Rutrell Yasin 
July 22, 2002

New benchmarks published last week by a broad coalition of federal and
private organizations could vastly improve the security of systems
throughout government agencies, experts say.

The first step in that process is a set of security configuration
recommendations called Consensus Baseline Security Settings for
Microsoft Corp. Windows 2000 Professional. They are designed to help
agencies ensure that their Windows-based workstations are properly
configured to protect against external and internal cyberattacks.

Moreover, this initiative could serve as a model for future benchmarks
that could be applied to other network protocols and systems,
proponents say.

Predefined security settings will take some of the burden of securing
systems off the shoulders of overworked systems administrators, who
also may lack an in-depth knowledge of network security, said John
Gilligan, chief information officer for the Air Force.

"Increasingly, software products are [becoming more] complicated with
large numbers of settings," Gilligan said. "Often, administrators have
to set the software for security. Putting this extra burden on
over-tasked systems administrators who don't have the proper
[security] insight is not the way to go."

Too often, security breaches in both the public and private sectors
are caused by software running on network devices that have not been
configured with appropriate security settings or lack the latest fixes
and updates that would prevent new security vulnerabilities. About 80
percent of the successful penetrations of government systems are due
to attackers exploiting vulnerabilities, Gilligan said.

The baseline security settings "give systems administrators the tools
to implement standards that can be easily updated as they learn about
new threats," said Richard Clarke, special adviser to the president
for cyberspace security. The collaboration also demonstrates how the
proposed Homeland Security Department should unfold, he added, with
the private sector and government working together to protect the
nation's critical infrastructures.

Agencies can protect their systems by downloading the benchmarks, free
of charge, from the Center for Internet Security (www.cisecurity.org).

All Air Force installations will deploy the benchmark and scoring
tool, Gilligan said, adding that all CIOs in the federal government
should plan on doing so, though their participation is not mandated.

"I would also endorse continuation of the collaboration [between
federal agencies and the private sector] to address a broader set of
products" for the future, he said. Results of this collaboration can
be shared with software vendors, so off-the-shelf software will
conform to the security baselines, he added.

***

Windows lockdown

The Consensus Baseline Security Settings for Microsoft Corp. Windows
2000 Professional workstations were developed and endorsed by a broad
group of Windows security experts from key government and industry
organizations.

Participants included:

* General Services Administration

* National Institute of Standards and Technology

* Defense Information Systems Agency

* National Security Agency

* SANS Institute

* Center for Internet Security



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.