Former CIO of the Air Force, John Gilligan, spoke with Threat Level to explain how the USAF made all this work. It all started with the NSA, which performed several penetration tests on the Air Force network back in 2003. These tests showed that the network was a swiss cheese, and that "more than two-thirds of their intrusions were possible because of poorly configured software that created vulnerabilities". In some cases, it were features that were never locked down because they had never been used, and in other cases it were features that were locked down, only to become vulnerable later (for instance, it needed to be re-installed but patches were never re-applied).
So, the USAF talked to Ballmer, and the CEO actually got personally involved in the project. "He has half-a-dozen clients that he personally gets involved with, and he saw that this just made a lot of sense," Gilligan said, "They had already done preliminary work themselves trying to identify what would be a more secure configuration. So we fine-tuned and added to that."
The USAF worked together with several other agencies and Microsoft to create a single secure and locked down configuration of Windows XP. They changed the way administrator passwords were handled, but Microsoft also implemented "automated tools to update patches and to detect and prevent someone from altering the configuration". Overall, more than 600 settings were locked down.
This single locked-down configuration brings several advantages to the USAF, most importantly the ability to install patches within 72 hours instead of 57-100 days. Since they're now using a single, consistent configuration, a lot less testing is involved when it comes to new patches. This testing is now done by Microsoft, and not by the USAF itself.
The USAF began installing this on systems in 2005 and finished in 2007. They also demand that vendors pre-load this configuration to make these systems secure out-of-the-box. The USAF saved 100 million USD because they now buy a single configuration instead of having 30 different contracts.
So, how secure is this system? Gilligan said that 85% of attacks are blocked by the new configuration. "Turns out when you configure things properly and don't touch them, they actually work pretty well," he added. The Air Force configuration is now in use in many other departments because it has been such a success.
Gilligan also said tat he hopes that this project marks the beginning of the end of companies arrogantly resisting locking down their products. "They're still in the model that they want to give all the features enabled to clients," he said, "But I think we've reached a point where that model is one that is no longer effective. I'm of the opinion that all products ought to be configured with these locked-down configurations, and if the customer decides they want to undo them, then they can do that. They cannot continue fielding products where the cost that is being borne by the consumer in terms of having to maintain configurations and deal with attacks is so high."