AOH :: ISNQ4864.HTM

Secure desktops not just for Vista




Secure desktops not just for Vista
Secure desktops not just for Vista



http://www.fcw.com/online/news/150875-1.html 

By Jason Miller
FCW.com
November 26, 2007

The Office of Management and Budget has told agencies that use Microsoft 
Windows XP or Vista to begin using the governments approved secure 
desktop configuration by February 2008, but it hinted that the Windows 
operating system was only the beginning of a more extensive program.

The next phase may be under way as the National Security Agency works 
with Apple, Sun Microsystems and Red Hat to develop secure baseline 
standards for those vendors latest operating systems. NSA has worked 
with Apple and Sun for years. However, for the first time, Red Hat has 
asked for help in securing an operating system, its Enterprise Linux 5.

Weve had our own hardening tips, and for this version we wanted to work 
with NSA since [we] have a close relationship with them already, said 
Karl Wirth, Red Hats director of security solutions.

OMB officials said they are not involved in NSAs effort with those 
companies, but some private-sector experts say the vendors work with NSA 
to develop baseline standards is similar to that which Microsoft 
undertook. They see those efforts as a first step toward establishing a 
federal secure configuration standard for those operating systems.

Vendors who compete with Microsoft saw the White House announcement as a 
threat, said Alan Paller, director of research at the SANS Institute. 
OMB was not standardizing on Microsoft and said they would talk to 
others to ensure their products are secure, too.

Paller said that once NSA gives its blessing to a vendors product, it 
would make sense for non-Defense Department and intelligence agencies to 
follow NSAs lead.

However, NSAs security guidance is not mandatory for civilian agencies. 
The National Institute of Standards and Technology has issued security 
checklists, which are not standards, for some Apple, Sun and Red Hat 
products.

NSA worked with Sun and Apple on security for their previous releases of 
the Solaris 8 and 9 and Panther and Tiger operating systems, 
respectively. Now NSA is developing standard configurations for Suns 
Solaris 10 and Apples Leopard operating systems.

NSAs Information Assurance Directorate works with many companies to 
examine product security on behalf of DOD customers, said Tony Sager, 
chief of vulnerability analysis and operations at the directorate.

The product security guides help NSA users make informed decisions about 
security and help analysts better understand emerging technologies, he 
said.

Bill Vass, president and chief operating officer of Sun Federal, said 
Suns work with NSA is not unusual, and he added that he wouldnt be 
surprised if OMB or NIST mandated a secure baseline configurations for 
all Unix operating systems because Apple, Sun and Red Hat are derived 
from Unix.

Vass said OMB and NIST could mandate a basic Unix secure configuration 
standard and offer subsets for Apple, Sun, Red Hat and others.

It is a natural evolution for NIST and OMB to say use this standard, 
Vass said.

The reason OMB did this on Vista is the risk and pervasiveness of those 
risks.

NSA worked with NIST on the Microsoft Windows XP and Vista baselines, 
and it is now developing a national program to collect, automate, 
measure and report information technology vulnerability data, Sager 
said.

Sager said NSA did not analyze Microsofts code. However, the agency 
reviewed and analyzed different configuration settings, such as the 
number of characters in a password, to determine which ones were most 
secure.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/ 

Site design & layout copyright © 1986-2014 CodeGods