The Tech Herald

Microsoft: There is no special version of XP for the Air Force

by Steve Ragan - May 7 2009, 21:25

After all the talk about Microsoft handing a hardened version of XP to the Air Force during renegotiation talks for desktop software contracts, as first reported by Wired, it turns out there were some issues in the story that caused a good deal of confusion.

Speaking on the record, one Microsoft employee explained exactly what it was the Air force received. As some pointed out when the story broke, if you wanted it, you can have a hardened XP image too.

Last Thursday, Wired broke a story that reported details of a hardened version of Windows XP that was given to the Air Force. This version of XP was the most “secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days.”

“The Air Force, on the verge of renegotiating its desktop-software contract with Microsoft, met with Ballmer and asked the company to deliver a secure configuration of Windows XP out of the box. That way, Air Force administrators wouldn’t have to spend time re-configuring, and the department would have uniform software across the board, making it easier to control and maintain patches,” the article reported.

Users and experts offered various opinions on the story. Some said it was about time the government used its purchasing power to force software developers to design something more secure, eliminating some of the problems caused by overlooked hardening settings or out-of-the-box installations. Others said that it would be a futile effort, and some demanded a copy outright.

The problem, and the source of the confusion about the article itself, is that Microsoft did not offer a new version or a special version of XP to the Air Force. All Microsoft did was help the Air Force harden GPOs (Group Policy Objects) and images used for deployments when the Air Force made that request.

“We agreed to assist, as we do with any company that hires us to assist in setting their own security policy as implemented in Windows. The work from the AF ended up morphing into the Federal Desktop Core Configuration (FDCC) recommendations maintained by NIST. There are differences, but they are essentially the same thing,” said Roger Grimes, Security Architect on the ACE Team at Microsoft.

“NIST initially used even more secure settings in the hardening process (many of which have since been relaxed because of operational issues, and is now even closer to what the AF created),” he added.

“In the initial article, a lot of the other improvements, such as patching, came from the use of better tools (SCCM, etc.), and were not necessarily solely due to the changes in the base image (although that certainly didn't hurt). So, it seems the author mixed up some of the different technology pushes and wrapped them up into a single story. He also seem to imply that this is something special and secret, but the truth is there is more openness with the FDCC program and the surrounding security outcomes than anything we've ever done before,” Grimes continued.

Grimes made those comments while correcting a post by Bruce Schneier, who wrote about the hardened desktop on his blog. If it wasn’t for Grimes, the issue would still be a bit confusing. Moreover, if Microsoft would have returned calls from Wired, then the article would have been correct from the beginning. At the same time, the FDCC configurations have been around since 2007.

The FDCC settings can be downloaded here. Additional FDCC-related tools and information can be found here and here.

Comment on this Story

comments powered by Disqus


Lucky Escape from Out of Control Truck

This man had a lucky escape on a New Jersey Turnpike when he had to stop on the road du...

Concept Car Videos from Detroit Auto Show

As at every big car show manufacturers at the Detroit Auto Show 2015 were keen to give us th...

Concept Car Pictures from Detroit Auto Show

Well we still had a few pics from the in Detroit Auto Show to put up. These are some of...

Nissan #withdad Super Bowl Commercial Teaser

Nissan have revealed the first glimpse of their #withdad Super Bowl commercial set to s...

This Is What A Horror 150-Car Pile-up In Snow Looks Like (VIDEO)

This incredible footage shows the terrifying unfolding of a massive 150-car pile-up tha...