OSNews:

OSNews: http://www.osnews.com/story/21424/USAF_s_Locked-Down_Windows_XP_Configuration Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Fri, 24 May 2013 01:03:23 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com hm http://www.osnews.com/thread?361520 http://www.osnews.com/thread?361520 Don't know how what I should think about this.

There are two points that annoy me:
- XP is 10 years old, it's damn old technologie for the air force
- Microsoft says vista is more secure in every point. I think a locked-down vista would be more secure. You can't take windows 98 and say "it's locked down, it's more secure than XP" because there are technologies that are just missing in the older operating system. Sun, 03 May 2009 09:36:00 GMT donotreply@osnews.com (SK8T) Comments RE: hm http://www.osnews.com/thread?361521 http://www.osnews.com/thread?361521 Did you see the time frame? This project was started WAY BEFORE Vista got out. Changing operating systems is not something to be taken lightly for such an important institution as the USAF, where lives may be at stake.

In addition that that, Windows XP might be old, but it IS tried and true by now. In addition, I'm sue Microsoft backported some of Vista's security features to this special version of Windows XP.Edited 2009-05-03 09:42 UTC Sun, 03 May 2009 09:41:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments And now we know... http://www.osnews.com/thread?361524 http://www.osnews.com/thread?361524 why Microsoft is able to get away with basically anything they want to here in the US, and got off with a slap on the wrist with regards to their monopolistic bs.
Here's the U.S, everyone, in all its corporate glory. Get a good look, and spit in disgust.
On top of that... what's next? Microsoft is personally involved with the government. Now, call me paranoid if you wish--and you may very well be right--but it's not that far of a stretch to move from building a special, locked down version for the government to building certain... shall we say... unlocked points into everyone else's system in the name of security of the state, is it? That assumes, of course, that it hasn't happened already. The whole NSAKEY thing was basically dismissed as conspiracy and perhaps that was... or was it? Who can tell.
I cannot help but be concerned at such a close partnership between branches of our military and government (which has taken some alarming steps in recent years) and a company that violates many of our own antitrust laws in spirit even if not convicted and also has a vested interest in control of their own sort to insure their dominant position. A very dangerous combination in my opinion.Edited 2009-05-03 10:18 UTC Sun, 03 May 2009 10:15:00 GMT donotreply@osnews.com (darknexus) Comments Here's the amusing part... http://www.osnews.com/thread?361526 http://www.osnews.com/thread?361526 Both internal and external apps were so poorly programmed that it took them two years to lock everything down. Long live closed source products!

"It then took two years for the Air Force to catalog and test all the software applications on its networks against the new configuration to uncover conflicts. In some cases, where internally designed software interacted with Windows XP in an insecure way, they had to change the in-house software."

Really, I am not sure this article says all that much that is positive about Microsoft or the Airforce, other than if you spend lots of time fixing a configuration, you may be able to improve it.

A product should be secure out-of-the-box. Sun, 03 May 2009 10:22:00 GMT donotreply@osnews.com (porcel) Comments RE[2]: hm http://www.osnews.com/thread?361527 http://www.osnews.com/thread?361527 Well given the fact it takes about 10-15 years to deploy a new weapons system, the fact they are using XP and not DOS is A+

Sun, 03 May 2009 10:30:00 GMT donotreply@osnews.com (ssa2204) Comments Windows XP? http://www.osnews.com/thread?361530 http://www.osnews.com/thread?361530 Why XP, why not CE?

http://en.wikipedia.org/wiki/Windows_CE Sun, 03 May 2009 11:32:00 GMT donotreply@osnews.com (antik) Comments What's really being said ... http://www.osnews.com/thread?361531 http://www.osnews.com/thread?361531 Problem: Windows XP ships with default options that make it insecure.

Problem: Air Force IT guys tried to set secure options, but all of them had a different idea of what was secure.

Problem: Sometimes security was compromised by Air Force IT guys because other software required insecure options.

Problem: Different security options made internal testing of security patches time consuming.

Solution: The military decided to standardize security related setting from the top down.

Upside: Internal testing of security patches is much faster.

Upside: IT guys had a mandate to get rid of software that required insecure options.

Upside: Everyone now knows (rather than thinks) their system is secure.

Upside: Microsoft now ships a secure by default configuration to the Air Force and it's suppliers.

Conclusions:

(At least to me.)

Microsoft has created a secure product, even in XP.

Secure products don't sell, so they plaster on insecure features.

Secure products don't sell, so they made it more convenient by using insecure defaults.

Microsoft finally found a customer who was willing to pay for security above features and convenience, so they cleaned XP up for them. Sun, 03 May 2009 11:41:00 GMT donotreply@osnews.com (MacTO) Comments Secure XP http://www.osnews.com/thread?361539 http://www.osnews.com/thread?361539 It's not that secure products don't sell... it's that people want their software to work and all the flashy features turned on. Since most software out there was programmed with the notion of having full control of the PC, and did many things it shouldn't, it's been a pain for MS to move towards a secure system.

But they have been doing it, they cleaned up the system more with XP and locked it down more with Vista... there are annoyances, but those will be polished and we will get more used to it. Soon we won't notice it anymore as the extra steps will be normal.

[It's funny that people get annoyed about Vista's UAC dialog coming up all the time, but in Linux you need to enter your password to do administrative stuff, including installing software] Sun, 03 May 2009 12:50:00 GMT donotreply@osnews.com (Craig) Comments Good staring point for secure Windows http://www.osnews.com/thread?361542 http://www.osnews.com/thread?361542 Hi,

I think the NSA Guides are a _really_ good starting point to make your Windows secure. Microsoft should suggest it everywhere:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operat...

But I guess home users could block about 90% of attacks with automatic updates, disables javascript and text only emails. Sun, 03 May 2009 13:02:00 GMT donotreply@osnews.com (reez) Comments RE: Secure XP http://www.osnews.com/thread?361544 http://www.osnews.com/thread?361544 > [It's funny that people get annoyed about Vista's UAC dialog coming up all the time, but in Linux you need to enter your password to do administrative stuff, including installing software]

I think that UAC complaints are both fair and unfair to Vista. In Vista, it gives the definite impression of being an after-the-fact add-on because you often have to go through a couple of layers of dialog boxes just to confirm an action. I've never seen that behaviour on Ubuntu or Mac OS X. It is also worth questioning the effectiveness of this process, because they only ask you to click a button when you are performing an administrative action from the administrative account (which is going to be the default account in setting where security isn't an issue, like in homes or small offices). That means it's easy to confirm something through an act of habit.

I'm also not convinced that UAC would help security in a military type environment. UAC is there to make privileged operations more convenient to complete by negating the need to work in an administrative account (which is what I had to do in Linux systems way back then). That's great for homes and small offices where people want to fiddle around with such things at will. But military systems shouldn't require that degree of privileged intervention. Indeed, part of the purpose of this specialized Windows distribution appears to be the creation of a standardized system. So you don't want too many priviliged operations taking place that will make that standardized system non-standard. Sun, 03 May 2009 13:13:00 GMT donotreply@osnews.com (MacTO) Comments Comment by bnolsen http://www.osnews.com/thread?361548 http://www.osnews.com/thread?361548 And then there's the usual suggestion of using some other OS and perhaps) hardware that actually has been designed to deal with these issues in mind from the beginning.

If this was started in the late 90's, at that time sun was probably a runner up. The problem was that sun was charging 5-10x as much for hardware that never was as fast as its more mainstream competition. Sun, 03 May 2009 13:38:00 GMT donotreply@osnews.com (bnolsen) Comments Nonthing Special http://www.osnews.com/thread?361549 http://www.osnews.com/thread?361549 They're making it sound like more than it really is. This isn't some re-engineered version of XP. You can greatly increase the security of Windows my ensuring it's patched and changing some configuration options. Many large companies do this and make a more secure base image to install on all PCs. The Air Force had been doing that as well, the only difference was that before it was at the base, maybe MAJCOM level, and now it's merely a single image for the whole Air Force. Also, this isn't just an XP thing, it's been out for a while. The Air Force is now in the midst of rolling our SDC 2.0, which is Vista-based. Sun, 03 May 2009 13:59:00 GMT donotreply@osnews.com (bsharitt) Comments RE[2]: hm http://www.osnews.com/thread?361552 http://www.osnews.com/thread?361552

Changing operating systems is not something to be taken lightly for such an important institution as the USAF, where lives may be at stake.

If lives may be at stake, then why use their products in the first place? Sun, 03 May 2009 14:12:00 GMT donotreply@osnews.com (Isolationist) Comments RE[2]: hm http://www.osnews.com/thread?361553 http://www.osnews.com/thread?361553 I took a look at the NIST site for this program when I first saw this news item. I don't think there's any code change involved here (though the USAF and other militaries probably get wind of patches and known security issues before the general public). What these guys have is a specific security template, a system convert between an XML security description language and a set of actions to change the system configuration, and a set of policies specified in that XML language. The configuration system applies to Vista as well (there are policies available on NIST's site for both OSes). Sun, 03 May 2009 14:51:00 GMT donotreply@osnews.com (PlatformAgnostic) Comments RE: Comment by bnolsen http://www.osnews.com/thread?361554 http://www.osnews.com/thread?361554

And then there's the usual suggestion of using some other OS ... that actually has been designed to deal with these issues in mind from the beginning.

What a lot of people seem to forget is that XP is based upon NT and that NT was designed with security in mind. Microsoft may have botched it through both implicit decisions (such as bad coding) and explicit decisions (such as making it more marketable), but that doesn't mean that XP isn't salvagable.

There are other factors to consider here. The article mentioned taking advantage of technology that trickles down to them, rather than succumbing to NIH syndrome. That means two things: they now have hundreds of millions of people offsetting their costs, and hundreds of millions of people doing basic testing for them. Which is a heck of a lot better than the government spending billions of dollars to reinvent the OS, something which will never benefit anyone outside of the military.

Another advantage of using a broadly deployed technology is access to skilled labour. The military themselves may be able to get away with training their own personelle. (Or maybe not. It depends upon the scope of skills needed.) Military contractors would have a much harder time. So it is an issue on at least one end, and maybe both. Sun, 03 May 2009 14:55:00 GMT donotreply@osnews.com (MacTO) Comments RE: What's really being said ... http://www.osnews.com/thread?361555 http://www.osnews.com/thread?361555 I think you got it exactly right. This is more about configuration than about the design or inherent vulnerabilities.

Newer OSes than XP have a different view of the world and have come more locked down by default. Sun, 03 May 2009 14:55:00 GMT donotreply@osnews.com (PlatformAgnostic) Comments RE: And now we know... http://www.osnews.com/thread?361563 http://www.osnews.com/thread?361563 Well, if you're going to go that far you'll have to avoid Linux too; the NSA is responsible (at least originally) for the SELinux security systems within the kernel. Sun, 03 May 2009 15:55:00 GMT donotreply@osnews.com (DigitalAxis) Comments RE: Secure XP http://www.osnews.com/thread?361566 http://www.osnews.com/thread?361566

[It's funny that people get annoyed about Vista's UAC dialog coming up all the time, but in Linux you need to enter your password to do administrative stuff, including installing software]

Software can be installed anywhere you like. Administrating the system through the package manager then again is a job belonging only to the system administrator. Sun, 03 May 2009 16:27:00 GMT donotreply@osnews.com (SJ87) Comments I wonder http://www.osnews.com/thread?361570 http://www.osnews.com/thread?361570 If the Virtual Windows XP image that is comming with Windows 7 is pre locked down ? Sun, 03 May 2009 17:03:00 GMT donotreply@osnews.com (steverez1) Comments RE[2]: hm http://www.osnews.com/thread?361572 http://www.osnews.com/thread?361572 Or the other way around, they created this first and used it as a base for Vista. Sun, 03 May 2009 17:27:00 GMT donotreply@osnews.com (Lennie) Comments RE[3]: hm http://www.osnews.com/thread?361573 http://www.osnews.com/thread?361573

Or the other way around, they created this first and used it as a base for Vista.

I believe Windows Server 2003 was the base for Vista. Sun, 03 May 2009 17:39:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE[2]: And now we know... http://www.osnews.com/thread?361575 http://www.osnews.com/thread?361575 Yes, but at least we can view the source.

I pray to every god ever conceived by the fearful mind of man that the USAF and the US.gov were smart enough to demand FULL source access - and then build their OWN copy of the OS. OR at least have code audits to check for back doors! I would NOT want to entrust my security to one company that did not divulge the source for its products.

This is the government, they should have build & process auditing as a standard stipulation of attaining a government contract - regardless of product.

--The loon Sun, 03 May 2009 17:43:00 GMT donotreply@osnews.com (looncraz) Comments RE[2]: And now we know... http://www.osnews.com/thread?361578 http://www.osnews.com/thread?361578

Well, if you're going to go that far you'll have to avoid Linux too; the NSA is responsible (at least originally) for the SELinux security systems within the kernel.

Yeah. But if the NSA is spying on us that way it's only Fedora and Red Hat users that are in danger. ;-) Sun, 03 May 2009 19:47:00 GMT donotreply@osnews.com (sbergman27) Comments You know... http://www.osnews.com/thread?361593 http://www.osnews.com/thread?361593 ...I'm still amazed by the fact that more U.S. Government agencies aren't adopting OpenBSD as their O.S. of choice. If the damned thing needs to be secure, why screw around with anything else? It's pretty hard to argue against OpenBSD when it comes to security, because this O.S. is built and coded with this exact principle in mind.

Each operating system excels at something, and OpenBSD is the King of Security. Sun, 03 May 2009 23:00:00 GMT donotreply@osnews.com (1c3d0g) Comments RE[3]: And now we know... http://www.osnews.com/thread?361596 http://www.osnews.com/thread?361596

"Well, if you're going to go that far you'll have to avoid Linux too; the NSA is responsible (at least originally) for the SELinux security systems within the kernel.

Yeah. But if the NSA is spying on us that way it's only Fedora and Red Hat users that are in danger. ;-) "

SELinux has been in mainline for a while now. Sun, 03 May 2009 23:30:00 GMT donotreply@osnews.com (abraxas) Comments financial crisis http://www.osnews.com/thread?361606 http://www.osnews.com/thread?361606 We have a financial crisis and they have no money to invest in new software. My GOD! Mon, 04 May 2009 04:48:00 GMT donotreply@osnews.com (2501) Comments RE: financial crisis http://www.osnews.com/thread?361614 http://www.osnews.com/thread?361614 Hah! And like that would stop them if they had their minds set on it? Look at everyone we're bailing out even though we don't have the money to waste... I'd say we're wasting plenty already. To be honest, if it came right down to it, I'd rather see it wasted on our own government than on businesses who should be reaping the consequences of their poor decisions rather than lining up for handouts and at the same time pulling us deeper into a hole. If you make poor decisions as a business, you fail. Why are we going out of our way to avert the idiots receiving the proper consequences for their idiocy? Mon, 04 May 2009 08:36:00 GMT donotreply@osnews.com (darknexus) Comments RE[2]: financial crisis http://www.osnews.com/thread?361617 http://www.osnews.com/thread?361617 Because those "idiots" control the government. Mon, 04 May 2009 08:53:00 GMT donotreply@osnews.com (h3rman) Comments Where's Tom Clancy in this? http://www.osnews.com/thread?361625 http://www.osnews.com/thread?361625 All of this sounds like part of a story line from Tom Clancy. All we need now is for those big bad Reds, ie China, to find the remaining loopholes and exploit them.Edited 2009-05-04 11:11 UTC Mon, 04 May 2009 11:10:00 GMT donotreply@osnews.com (combatwombat) Comments RE[3]: And now we know... http://www.osnews.com/thread?361635 http://www.osnews.com/thread?361635 Microsoft does have programs for source access for partners and academia

http://en.wikipedia.org/wiki/Shared_source

Build and process auditing are irrelevant (not to mention a bit weird), but I agree that they should be at least EAL 4 (Methodically Designed, Tested, and Reviewed) certified. Mon, 04 May 2009 12:54:00 GMT donotreply@osnews.com (google_ninja) Comments RE[2]: Secure XP http://www.osnews.com/thread?361636 http://www.osnews.com/thread?361636 If all it asks you to do is click a button, you are running under the administrators group, which you should not be doing. Vista asking you to hit OK is like running as root on linux, the only difference is that the admin tolken doesn't get implicitly passed to any action you take. If you run as a non admin, you will get a box asking you to enter the credentials of someone who is an admin.

There is also a lot more then UAC to Vista's security improvements over XP. UAC is just what end users tend to encounter. Mon, 04 May 2009 12:59:00 GMT donotreply@osnews.com (google_ninja) Comments RE: You know... http://www.osnews.com/thread?361651 http://www.osnews.com/thread?361651

...I'm still amazed by the fact that more U.S. Government agencies aren't adopting OpenBSD as their O.S. of choice. If the damned thing needs to be secure, why screw around with anything else? It's pretty hard to argue against OpenBSD when it comes to security, because this O.S. is built and coded with this exact principle in mind.

Each operating system excels at something, and OpenBSD is the King of Security.

I disagree, who would support all the different apps to get openBSD setup as a desktop OS, X, the GUI, all the other apps, openBSD people? I don't think so, I think that might be a worse nightmare to implment openBSD at the time compared to XP.

Sure openBSD will be pretty locked down with defaults and no X, but seriously you think the AF is gonna move their people back to no GUI and retrain everyone? Mon, 04 May 2009 15:23:00 GMT donotreply@osnews.com (Hentai) Comments RE[3]: And now we know... http://www.osnews.com/thread?361695 http://www.osnews.com/thread?361695 I worked in OpenVMS Security and the Gov't approval process is very long and drawn out. I do not remember whether or not they are allowed access to anything they want, but the product must meet standards set forth by the gov't for approval process. It was a long time ago, but I DO remember people sweating for many months at a time just for point releases.

But who knows if things have changed. Mon, 04 May 2009 20:17:00 GMT donotreply@osnews.com (Tuishimi) Comments RE: hm http://www.osnews.com/thread?361744 http://www.osnews.com/thread?361744 Loser boy Gilligan is ancient history. Vista is the current standard configuration and it's at the federal level. All you need is one image of a standardized configuration, so without writing any additional code, it happened. Everyone is put into the "user" category and essentially no executables will run and anything with the associated shield cannot be changed without admin privs. Every day the grass is mowed anyway so if your configuration doesn't match what it's supposed to be your box gets reset. As for his comment about "arrogant apps", Gilligan's an arrogant ass, seeing as how he'd go to money bags Ballmer but not to help others design software compatible to the configurations. So, bottom line is that there's no code written that gives the g-men/babes access to your system. The Chinese and Russians are probably already in your box anyway. Tue, 05 May 2009 01:26:00 GMT donotreply@osnews.com (BillaBong) Comments RE: What's really being said ... http://www.osnews.com/thread?361748 http://www.osnews.com/thread?361748 You are closest in your analogy, except the IT guys aren't mandated to get rid of software.

Microsoft did not create anything different from what is on the OS CD.

Folks go through the entire OS and essentially flick switches until they come up with the configuration they want.

There are several billing levels, the single consumer at one while bulk is at another.

If one of your customers has a couple million licenses, it makes good business sense to insure that big paying customer's requirements are met. Tue, 05 May 2009 01:42:00 GMT donotreply@osnews.com (BillaBong) Comments Comment by Hae-Yu http://www.osnews.com/thread?361771 http://www.osnews.com/thread?361771 Regardless of Windows' merits, why they use Windows is basic IT history.

Yes, they are locked into a Windows environment and that arose from the move away from green screen terminals to distributed, client-server networks with affordable desktops. Just like every other major enterprise, it got away from them, with each unit running its own purchasing and administration with all that entailed. The USAF made a concerted effort to manage their assets, just like most other large enterprises have been doing over the last few years.

In the mid-90s when the client-server concept was going like gangbusters, Linux wasn't a real player, and OS 7/8/9 was unsuitable for the enterprise. Like it or not, Windows systems, dominating the IBM office compatibles, are the foundation of the systems most enterprises use today.

When people say "just scrap it and throw it all away" they only reveal their ignorance. Even if all the software were free, the scale of the effort would probably cost more than Iraq and Afghanistan combined.

Conservatively. Tue, 05 May 2009 04:58:00 GMT donotreply@osnews.com (Hae-Yu) Comments RE[4]: hm http://www.osnews.com/thread?361784 http://www.osnews.com/thread?361784 Yes, that's what they say. But it's all from the marketing department. ;-) Tue, 05 May 2009 07:27:00 GMT donotreply@osnews.com (Lennie) Comments RE: Windows XP? http://www.osnews.com/thread?362349 http://www.osnews.com/thread?362349 I agree Thu, 07 May 2009 21:14:00 GMT donotreply@osnews.com (adinas) Comments Secure XP Version Available? http://www.osnews.com/thread?362381 http://www.osnews.com/thread?362381 Used DOS, first versions of windows, loved Win95, didn't see any need for Win98, then finally moved to XP and found it would install just about anything. After 10K of apps later I was surprised when a new Vista machine couldn't do what XP could. So to put food on the table I stuck with XP.
Is this more secure (or "locked down") version of XP available to us long time users? Would it be of any value or a more difficult GUI to use?
Have some official name?
Downloadable?
http://www.niwenterprises@yahoo.com Thor Thu, 07 May 2009 23:56:00 GMT donotreply@osnews.com (ThorOdinson) Comments