Sunday, May 31, 2009

Free: USAF-Hardened Windows Build (…well kinda…)


Public domain photo: taken by U.S. Air Force Senior Airman Julianne Showalter

Windows: Locked and Loaded?

About a month-ago, there was a Wired story about how Microsoft had developed and offered a super-duper secure version of Windows to the United States Air Force to better protect it’s Windows deployments and users than the piddling-weak stuff that us private citizens get offered.

Microsoft Offers Secure Windows … But Only to the Government  - Wired Threat Level blog.

It’s the most secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days.  The only problem is, you have to join the Air Force to get it.

The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as a template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.

Security experts have been arguing for this “trickle-down” model for years.  But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.

Upon which everybody who pays taxes AND uses Windows moaned and complained about things not being fair that the USAF gets something we don’t; an actual secure version of Windows.

Only one problem, journalist Kim Zetter got the story pretty darn close to being correct, but left out one important detail.

Namely, that there the USAF doesn’t actually use a super-weaponized-and-hardened version of Windows made just for them.


Microsoft: There is no special version of XP for the Air Force – The Tech Herald – Security as covered by Steve Ragan:

The problem, and the source of the confusion about the article itself, is that Microsoft did not offer a new version or a special version of XP to the Air Force. All Microsoft did was help the Air Force harden GPOs (Group Policy Objects) and images used for deployments when the Air Force made that request.

“We agreed to assist, as we do with any company that hires us to assist in setting their own security policy as implemented in Windows. The work from the AF ended up morphing into the Federal Desktop Core Configuration (FDCC) recommendations maintained by NIST. There are differences, but they are essentially the same thing,” said Roger Grimes, Security Architect on the ACE Team at Microsoft.

“NIST initially used even more secure settings in the hardening process (many of which have since been relaxed because of operational issues, and is now even closer to what the AF created),” he added.

“In the initial article, a lot of the other improvements, such as patching, came from the use of better tools (SCCM, etc.), and were not necessarily solely due to the changes in the base image (although that certainly didn't hurt). So, it seems the author mixed up some of the different technology pushes and wrapped them up into a single story. He also seem to imply that this is something special and secret, but the truth is there is more openness with the FDCC program and the surrounding security outcomes than anything we've ever done before,” Grimes continued.

Schneier on Security: Secure Version of Windows Created for the U.S. Air Force – Schneier on Security – Even Bruce got caught up and had to make an update as the facts became known.

Bruce even included additional (and public) links provided by Microsoft for these projects.

Anyone can download the FDCC settings, documentation, and even complete images. I worked on the FDCC project for little over a year, and Aaron Margosis has been involved for many years, and continues to be involved. He offers all sorts of public knowledge and useful tools. Here, Aaron has written a couple of tools that anyone can use to apply FDCC settings to local group policy. It includes the source code, if anyone wants to customize them.

I’ve been RSS feeding Microsoft’s Aaron Magosis blog and work for a while now, but even his work on this project came as a surprise to me.

F D C C – Ensuring “Aim High” applies to all

What is really awesome (to me at least…as teased in this post title) is that the FDCC settings are actually released, almost fully implemented to the standards, in updated VHD virtual machine files for XP Pro and Vista.  Free (but time-bombed) for the taking, testing, and tweaking!

All this information and work is provided openly by the National Institute of Standards and Technology (NIST) and sponsored by the DHS National Cyber Security Division/US-CERT.

These recommendations were developed at the National Institute of Standards and Technology, which collaborated with OMB, DHS, DISA, NSA, USAF, and Microsoft to produce the Windows XP and Vista FDCC baseline.

  • F D C C – Federal Desktop Core Configuration main page

  • F D C C - Download Page – Filled chock-full-o-nuts of the VHD files for XP/Vista pre-configured (mostly) with these magical security settings, as well as Group Policy Objects (GPO) that could be deployed and tons of documentation on what exactly is going on.

  • F D C C - Agency Testing FAQ – Specifically jumps to the FAQ section on working with and using the VHD file packages for testing in Virtual PC sessions.

  • F D C C – FAQ – The top-page.  Lots to read so kick back and take it all in.

All-in-all it is amazing stuff.

I really appreciate the value that this information and the access to the VHD files offers.  It really allows system administrators and security folks to get a sense of just how usable a Windows system remains after many of these configurations has been applied.  Now, granted, the Windows systems won’t be quite as friendly to use as say, the way you’ve set up Grandma Flutter’s Windows system configured, but it will be much more secure.

Think of it as a free computer-lab course in Windows security best-practices configuration for the general public.

But Wait! There’s More!

Federal Desktop Core Configuration - Microsoft TechNet’s FDCC Blog. Frequently updated with notices of new FDCC releases and configuration policy changes.

Federal Desktop Core Configuration : Utilities for automating Local Group Policy management  - Microsoft TechNet’s FDCC Blog page with the tools for applying the LGPO for the FDCC configurations.

Federal Desktop Core Configuration : Kicking off the FDCC blog – Kurt Dillard introduces the mission and vision behind the FDCC release in this early (and massive) blog post.  I’ve snipped it down to (IMHO) the best key takeaway parts: 

…Microsoft has been collaborating with a handful of federal agencies to create actionable guidance and tools that agencies can use to implement the standard desktop and organziations who do business with the federal government can use to ensure their solutions are compatible with the locked-down configurations. I use the plural "configurations" because there are 2, one for Windows Vista and another for Windows XP. These configurations are collectively known as the Federal Desktop Core Configuration, or FDCC.

I know that many organizations are eager to see the details of the FDCC configuration. I've heard from federal agencies that want to start preparing to deploy FDCC as soon as possible. I've also talked to software companies that want to ensure their applications will be fully functional when run FDCC systems. I've also heard from systems integrators and IT services companies that want to be ready to help their federal customers to deploy and support the FDCC configurations. Microsoft has been working closely with the OMB, NIST, NSA, DISA, DHS, and the USAF and none of us want to publish guidance, tools, and other resources that will have to be updated and corrected repeatedly over the first few weeks.

At Microsoft we're creating and testing Virtual PC (VPC) images that we hope will help agencies and solutions providers to develop and test applications to run on FDCC compliant systems. These VPC images are not suitable for deployment, they'll be evaluation copies of Windows that will expire after a set period of time, but since they will be preconfigured they should help organizations to jumpstart their testing.

You still want to know more details about the settings, don't you? The single most important requirement in the FDCC is that all normal users will have to log in without administrative privileges. Experience has shown us that taking away admin rights from users causes the most challenges: some applications stop working and some users get frustrated that they can no longer install whatever software they want and they can no longer make whatever configuration changes they want to their computers. You can get an idea of what the FDCC configurations will look like by taking a look at the Microsoft security guides (listed on the Resources page), the FDCC settings are similar to the Specialized Security - Limited Functionality (SSLF) settings in our guides. Some of the settings are less restrictive in the FDCC than the SSLF settings, additionally the FDCC covers several dozen less impactful settings that are not documented in the Microsoft security guides. 

Bonus Find: STIGS Security Checklist Resources

Security Checklists - Security Technical Implementation Guides (STIGS) and Supporting Documents website. Not directly related to the FDCC efforts, but provides additional checklists and documentation “…(sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration)…contains instructions or procedures to verify compliance to a baseline level of security.

Browse around to see if this material could be beneficial in understanding and implementing additional system security (and program security) within your organization.

There is also a DoD General Purpose STIG, Checklist, and Tool Compilation CD in both heavy and lite versions which contains most all of the material on the site.

You might also want to take a look specifically at these offerings:

Lock and loaded, indeed!


--Claus V.

No comments: