OMB sets security standards for Windows computers

In an attempt to improve the government's information security, the Office of Management and Budget on Tuesday gave agencies until May to plan how they will implement a standard security configuration for Microsoft computer operating systems.

In a memorandum to agency chief information officers and their deputies, Karen Evans, OMB's administrator of e-government and information technology, said agencies must implement the standard security setting for all computers running Microsoft Windows XP and Vista no later than Feb. 1, 2008.

"Common security configurations provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources," Evans said. "This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity and availability of government information."

The plans due by May 1 must describe how the configurations will be implemented and automatically enforced and how administrative rights will be restricted to authorized officials. They also must describe tests to identify adverse effects on how systems function.

By April 20, OMB and the Homeland Security Department will establish a way for IT providers to obtain software images based on these configurations for test and development purposes.

By June 30, all new information technology acquisitions must reflect the configurations, and companies providing agencies with IT products must certify that their products operate effectively under the setup. When new Windows XP or Vista vulnerabilities are identified, agencies must be able to install Microsoft patches from DHS.

The standard configuration for XP and Vista operating systems was developed by the National Institute of Standards and Technology, DHS, the Defense Information Systems Agency, the National Security Agency and Microsoft.

Evans cited the Air Force's use of a common security configuration for its Windows XP computers as a model for the effort.

Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., said a standard configuration will reduce delays in installing patches and will help stop cyber attacks from spreading.

Paller said the initiative will help leverage the $65 billion the federal government spends annually on IT and that the standard will be adopted by organizations outside government.

But a standard security configuration will not solve the government's information security problem and could even make it worse, other security expects said.

Eugene Spafford, a professor and executive director of the Purdue University Center for Education and Research in Information Assurance, said the mandate may go a long way toward ensuring that computer systems are patched in a timely fashion and are not used in a way that puts the information at risk.

But a standard configuration will not keep desktops and other computer equipment with sensitive information from being stolen if the machines are not encrypted, Spafford said. If the operating system or the applications used as part of the standard have weak security controls or are "buggy," the configuration could make things worse, Spafford said.

Clay Johnson, OMB deputy director for management, is expected to sign a separate memo involving IT security shortly, sources said. An OMB spokeswoman would not comment on the status of that memo.