Cyber Eye: Standards don't cancel responsibility
- By William Jackson
- Aug 15, 2002
A consortium of public and private experts last month released a baseline security configuration for Microsoft Windows 2000 Professional. Dozens of agencies, companies and nonprofit organizations joined in the effort to shape the consensus benchmark, vetted by Microsoft Corp.
The recommended settings for services and features represent a minimum acceptable security level for the widely used desktop operating system. It isn't a locked-down, highly secure configuration but rather a basic starting point that should not interfere with common services or application suites.
The baseline settings, plus a tool for scoring a computer's configuration against them, are downloadable from the Center for Internet Security of Bethesda, Md., at www.cisecurity.org
Air Force CIO John Gilligan said he intends to implement the consensus benchmark servicewide and hopes that other government CIOs will do the same. He said he would like to see this and subsequent benchmarks adopted by software developers as a default, out-of-the-box configuration.
But don't hold your breath. Asked when Microsoft would ship Win 2000 with these or equivalent default security settings, technology director Patrick W. Arnold said he could not say it would ever happen.
Many of the security problems associated with Microsoft products result not from flaws but from legitimate features that arrive turned on. If users are unaware of this, a default configuration could leave their systems wide open to a variety of attacks.
Reassessing default functionality is a first step in Microsoft's Trustworthy Computing Initiative, Arnold said.
But configuration can be a tough job. "The baseline doesn't fit everyone,' Arnold said.
No matter how Microsoft ships its products, organizations still have a responsibility to compare the settings of whatever they install with their own needs and applications.
That's not to say Microsoft is ignoring the issue of default configuration. Chairman Bill Gates last month sent out an e-mail newsletter outlining his plans for Trustworthy Computing. He announced a new tool at www.microsoft.com
, the Baseline Security Analyzer, which scans Win 2000 and Win XP systems for common security misconfigurations and missing patches.
Without promising any changes in Win 2000 default settings, Gates did say, 'We are committed to shipping Windows .Net Server 2003 as 'secure by default'. '
Whatever improvements Microsoft and other developers make in their default settings, users need to remember that default settings do not a secure system make. A baseline is just that'a starting point. You have to choose the destination yourself.
As Arnold said, 'We view all of this as a journey without a specific end.'
William Jackson is freelance writer and the author of the CyberEye blog.