New tools to help secure Microsoft Vista and Windows XP

The National Institute of Standards and Technology (NIST) said today it was making available virtual machine images of secure configurations of the Microsoft Windows XP and Vista operating systems.  The images are expected to help federal agencies in complying with computer security requirements mandated by the government’s Office of Management and Budget (OMB). The operating system images let federal agencies and others simulate what will happen, and how critical applications will perform, when they move from their current operating environment to either of the two Microsoft systems using security configurations mandated under OMB’s Federal Desktop Core Configuration (FDCC). The FDCC is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating systems. The security images were created through a collaborative effort between Microsoft, OMB, NIST, the Department of Defense (DoD) and the Department of Homeland Security (DHS), and are available for download on a new Web site established by OMB. The images contain pre-configured security settings for agencies to use when testing and evaluating their applications to ensure they function effectively and securely during migration to these new operating systems.In addition, NIST’s National Checklist Program is working with a number of information technology providers on standardizing security settings for a wide variety of products and environments. NIST maintains more than 120 common security configuration guides used by agencies. “This resource facilitates agencies’ efforts to implement common security configurations which will boost government’s information security, improve system performance and decrease operating costs,” said Karen Evans, administrator of OMB’s Office of E-Government and Information Technology, in a statement.  The tools come on the heels of reports of rootkit issues with Windows XP and Vista.  Network World’s Net Buzz  wrote: Kill off any one of 230 root certificates available under the default configuration of Windows XP Service Pack 2 and the operating system will "silently" revive it and restore the certificate to the trusted status that the user intended to be revoked. And in Windows Vista you just can't kill them, period. That assessment comes from a recently published paper by security expert Paul Hoffman, who writes: "This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certificate authority as untrusted unless the user turns off the Windows component that controls this feature. … Note: Windows Vista works quite differently than Windows XP SP2 in this regard, and has significant but different problems with Microsoft-trusted root certificates: The user cannot mark them as untrusted." As relates to Vista, the paper explains: "After extensive searching, I could not find a way to remove certificate authorities trusted by Microsoft from Windows Vista. Even if there is a way to do this, there seems to be no equivalent of the Update Root Certificates program that can be turned off. ... This leaves Windows Vista users always having to accept Microsoft's silent updating of their root certificate store." Other reports say Micorsoft has blocked  security feature in the 64-bit version of Windows Vista that could have been easily circumvented with a free utility that loads unsigned drivers into the kernel, according to researchers at Symantec. The security feature was intended to prevent unsigned code from being loaded into the Vista 64-bit kernel and help mitigate malicious kernel drivers typically used by rootkits.Microsoft Wednesday for the first time laid out the underpinnings of the security capabilities it has built into its forthcoming Windows Server Virtualization technology, in hopes that researchers will help vet the software, which is expected to ship next year. The company chose this week’s Black Hat conference in Las Vegas to talk about the security inherent in the WSV hypervisor-virtualization technology formerly code-named Viridian. It will be an add-on to Windows Server 2008, and Microsoft hopes it will offer serious competition to VMware, XenSource, Virtual Iron, Novell and Red Hat in the hot market for virtualization technology. Meanwhile NIST recently issued a new version of a draft guide for assessing the effectiveness of security controls in federal information systems.  The content of the new guide is expected to be incorporated into automated tools that support the information security programs of federal agencies. The 387-page guide is designed to help information system owners and security managers ensure that appropriate computer security controls work as intended to protect information systems from being improperly accessed or compromised. The guide is a companion document to NIST Special Publication 800-53, Minimum Security Controls for Federal Information Systems, which spells out the types of security controls such as user authentication, spam protection, cryptography and transmission confidentiality that must be used to protect federal information systems.   

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022