The Tech Herald

Microsoft: There is no special version of XP for the Air Force

by Steve Ragan - May 7 2009, 21:25

After all the talk about Microsoft handing a hardened version of XP to the Air Force during renegotiation talks for desktop software contracts, as first reported by Wired, it turns out there were some issues in the story that caused a good deal of confusion.

Speaking on the record, one Microsoft employee explained exactly what it was the Air force received. As some pointed out when the story broke, if you wanted it, you can have a hardened XP image too.

Last Thursday, Wired broke a story that reported details of a hardened version of Windows XP that was given to the Air Force. This version of XP was the most “secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days.”

“The Air Force, on the verge of renegotiating its desktop-software contract with Microsoft, met with Ballmer and asked the company to deliver a secure configuration of Windows XP out of the box. That way, Air Force administrators wouldn’t have to spend time re-configuring, and the department would have uniform software across the board, making it easier to control and maintain patches,” the article reported.

Users and experts offered various opinions on the story. Some said it was about time the government used its purchasing power to force software developers to design something more secure, eliminating some of the problems caused by overlooked hardening settings or out-of-the-box installations. Others said that it would be a futile effort, and some demanded a copy outright.

The problem, and the source of the confusion about the article itself, is that Microsoft did not offer a new version or a special version of XP to the Air Force. All Microsoft did was help the Air Force harden GPOs (Group Policy Objects) and images used for deployments when the Air Force made that request.

“We agreed to assist, as we do with any company that hires us to assist in setting their own security policy as implemented in Windows. The work from the AF ended up morphing into the Federal Desktop Core Configuration (FDCC) recommendations maintained by NIST. There are differences, but they are essentially the same thing,” said Roger Grimes, Security Architect on the ACE Team at Microsoft.

“NIST initially used even more secure settings in the hardening process (many of which have since been relaxed because of operational issues, and is now even closer to what the AF created),” he added.

“In the initial article, a lot of the other improvements, such as patching, came from the use of better tools (SCCM, etc.), and were not necessarily solely due to the changes in the base image (although that certainly didn't hurt). So, it seems the author mixed up some of the different technology pushes and wrapped them up into a single story. He also seem to imply that this is something special and secret, but the truth is there is more openness with the FDCC program and the surrounding security outcomes than anything we've ever done before,” Grimes continued.

Grimes made those comments while correcting a post by Bruce Schneier, who wrote about the hardened desktop on his blog. If it wasn’t for Grimes, the issue would still be a bit confusing. Moreover, if Microsoft would have returned calls from Wired, then the article would have been correct from the beginning. At the same time, the FDCC configurations have been around since 2007.

The FDCC settings can be downloaded here. Additional FDCC-related tools and information can be found here and here.

Around the Web

Comment on this Story

comments powered by Disqus


Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...