After all the talk about Microsoft handing a hardened version of XP to the Air Force during renegotiation talks for desktop software contracts, as first reported by Wired, it turns out there were some issues in the story that caused a good deal of confusion.
Speaking on the record, one Microsoft employee explained exactly what it was the Air force received. As some pointed out when the story broke, if you wanted it, you can have a hardened XP image too.
Last Thursday, Wired broke a story that reported details of a hardened version of Windows XP that was given to the Air Force. This version of XP was the most “secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days.”
“The Air Force, on the verge of renegotiating its desktop-software contract with Microsoft, met with Ballmer and asked the company to deliver a secure configuration of Windows XP out of the box. That way, Air Force administrators wouldn’t have to spend time re-configuring, and the department would have uniform software across the board, making it easier to control and maintain patches,” the article reported.
Users and experts offered various opinions on the story. Some said it was about time the government used its purchasing power to force software developers to design something more secure, eliminating some of the problems caused by overlooked hardening settings or out-of-the-box installations. Others said that it would be a futile effort, and some demanded a copy outright.
The problem, and the source of the confusion about the article itself, is that Microsoft did not offer a new version or a special version of XP to the Air Force. All Microsoft did was help the Air Force harden GPOs (Group Policy Objects) and images used for deployments when the Air Force made that request.
“We agreed to assist, as we do with any company that hires us to assist in setting their own security policy as implemented in Windows. The work from the AF ended up morphing into the Federal Desktop Core Configuration (FDCC) recommendations maintained by NIST. There are differences, but they are essentially the same thing,” said Roger Grimes, Security Architect on the ACE Team at Microsoft.
“NIST initially used even more secure settings in the hardening process (many of which have since been relaxed because of operational issues, and is now even closer to what the AF created),” he added.
“In the initial article, a lot of the other improvements, such as patching, came from the use of better tools (SCCM, etc.), and were not necessarily solely due to the changes in the base image (although that certainly didn't hurt). So, it seems the author mixed up some of the different technology pushes and wrapped them up into a single story. He also seem to imply that this is something special and secret, but the truth is there is more openness with the FDCC program and the surrounding security outcomes than anything we've ever done before,” Grimes continued.
Grimes made those comments while correcting a post by Bruce Schneier, who wrote about the hardened desktop on his blog. If it wasn’t for Grimes, the issue would still be a bit confusing. Moreover, if Microsoft would have returned calls from Wired, then the article would have been correct from the beginning. At the same time, the FDCC configurations have been around since 2007.