Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 07/23/07 issue

Standard configuration to give agencies a real test

Network administrators must figure out how to blend security, legacy apps

By Jason Miller

Once the National Institute of Standards and Technology, Microsoft and other federal and private-sector experts finish developing the test image for the standard Windows desktop configuration for XP and Vista, agencies will face their toughest test — literally.

Public- and private-sector experts say assessing agency applications against the baseline will mean making tough decisions on whether mission-critical systems need to be changed.

This also includes making choices about whether to shut off certain Internet access ports that key software programs need, whether to ask the Office of Management and Budget for waivers to modify core security settings and how to balance need against risk.

Glimpse of the future
One agency information technology manager, who requested anonymity, said the agency already is facing a similar situation that will be a microcosm of things to come — trying to close off a port but getting a “dribble of people who are using the port asking for it not to be turned off.”

“What do I do about the 15 good reasons not to shut off a port?” the manager asked. “I’m faced with security and operational issues that don’t always agree. And with Vista and XP, it isn’t just ports but routines in the kernel that can’t be used anymore.”

Network administrators will be able to start testing the secure Windows desktop image by early August, when NIST releases a virtual PC and virtual security settings, said Tim Grance, NIST’s manager of systems and network security for the information technology lab.

NIST also will release a Security Content Automation Protocol (SCAP) that describes in Extensible Markup Language the configuration guidance and benchmarks. “With the virtual version, agencies can test the settings more easily,” Grance said. “If it breaks, no problem, you just start over. It really facilitates rapid testing for individual operational environments.”

The initial testing version’s release will come almost three months after OMB’s April 20 deadline.

NIST and Microsoft officials attributed the delay to a host of issues, including the complexity of the development, and they said the holdup likely will hamper agencies’ chances of meeting OMB’s February 2008 deadline to implement the secure settings.

More news on related topics: Communications / Networks, IT Security, Enterprise Architecture, IT Management, Software Applications



GCN Popup