[ISN] Air Force raises bar on desktop security

[InfoSec News]

http://www.fcw.com/article91318-11-07-05-Web

By Frank Tiboni
Nov. 7, 2005 

The Air Force plans to test its new Microsoft standard desktop
computer configuration at five field sites later this month. The
service wants to install the configuration on 70 percent of its
computers by June 2006 and on the rest by the end of 2006, Air Force
and industry officials said.

The Air Force will distribute Microsoft software with standard
security configurations servicewide to improve network security and
management. Military and civilian agencies are watching the testing
because they could use the software governmentwide early next year.

Many security problems associated with Microsoft software occur when
users do not properly configure their systems. As part of this
initiative, the Air Force is standardizing desktop PCs that are set up
with all appropriate controls in place.

"We are very pleased with our early test results and look forward to
significant advances in network operations and security as the Air
Force standard desktop configuration is implemented across our
enterprise during 2006," said Rob Thomas, deputy chief of the Office
of the Secretary of the Air Force, Chief of Warfighting Integration
and Chief Information Officer.

The Air Force has tested various versions of the standard desktop PC
configuration in labs at many locations since May. The results
identified minor incompatibilities with a number of
government-developed software applications, and the Air Force is
correcting those problems, a service spokeswoman wrote in an e-mail.

Developers at the five field sites will study implementation processes
and correct further hardware and software compatibility problems.  
After the Air Force writes a test report and makes necessary
corrections, its leaders will approve servicewide implementation, the
service spokeswoman said.

Government agencies can use the standard desktop PC configuration
after the Air Force tests it and service leaders approve its
implementation. Agency officials can use any part of the
configuration, "from the configuration settings up to the actual image
that will be installed on the workstations, consistent with their
licensing status regarding the 19 applications and plug-ins that
comprise the image," the spokeswoman said.

The Air Force's preconfigured bundle of Microsoft software includes
the Windows XP operating system, Office suite, Internet Explorer, and
portions of Windows Server 2003 and other applications. The service
calls it a software image.

"My personal assessment is that [the Office of Management and Budget]
and the CIO Council may wait until after the results of the initial
testing to finalize their strategy for potential deployment of the
standard configurations across other agencies," said John Gilligan,
the service's former CIO who helped develop the initiative. He is now
a vice president and deputy director at SRA International's defense
business unit.

The testing is important because attacks come within days of
vulnerability and patch announcements and agencies cannot maintain
their computer defenses if they cannot quickly patch, said Alan
Paller, director of research at the SANS Institute, a nonprofit
organization that monitors computer security.