Microsoft and DoD strengthen security of network servers

The Defense Department, and more precisely the Air Force, is once again the leading charge to close up some of the biggest and most obvious remaining cybersecurity holes.

The Air Force has developed a baseline for computer network servers running Microsoft Windows 2003. And the Defense Information Systems Agency, the Air Force and the National Security Agency recently finished a secure standard for Windows 2008 servers.

DoD is building upon the work of the Federal Desktop Core Configuration for Microsoft Office, Internet Explorer and Outlook, says Ken Page, a program manager for Microsoft Federal Services.

"The goal is to have secure and standardized server configurations like we did on desktops so we have more manageable server environment," Page says.

"Agencies can install the same server configuration on every Windows server in their organization. It would enable the people who manage the servers to know the configuration and allow them to manage the servers better over time."

Page adds that the standard server configurations are for e-mail, Web application or other types of servers that play specific roles in agency computer networks. Most agencies use Windows 2003, but many are moving to Windows 2008 over the next year or so.

He says Microsoft estimates agencies have about 1 million servers running Microsoft software.

"With known configurations on all machines, you will have fewer breakdowns and trouble tickets," Page says.

"And when you do have problems, you can more quickly remedy them because you are starting from a known configuration."

Microsoft also is developing a repeatable process to support server implementation. Page says lessons from DoD as well as other implementations are helping.

The Redmond, Wash., software giant has worked with Miami Dade County government to implement these standards as well as the Interior Department's Bureau of Land Management.

And Microsoft also is discussing how they may apply the secure server standards to Lockheed Martin's infrastructure.

"We are writing an executable that will allow individuals to apply the standard configurations in a matter of minutes," Page says.

"That will be a great boon to the process and quickly speed up acceptance."

The Office of Management and Budget and the National Institute of Standards and Technology are aware of DoD and Microsoft's work on server configuration, but Page says there is not mandate or guidance coming just yet.

He says there could be guidance within the next year, however.

He says OMB and NIST have focused mainly on ensuring agencies implement the FDCC first. Agencies were supposed to have fully implemented the settings by Feb. 1, 2008, but few have attained 100 percent compliance, Page says.

OMB says in a report to Congress in March that only 10 agencies have fully implemented or mostly implemented the FDCC.

"We've helped 35 agencies implement it across their organizations and many have chose to do it themselves," he says. "The FDCC has been a successful program, especially since it's an unfunded mandate."

Page adds that most agencies have implemented 95 percent or more of the 650 settings under the FDCC. But there is one setting many cannot or choose not to implement.

"The single biggest remaining challenge is turning on the setting to require a secure encryption algorithm under Federal Information Processing Standard 140-2," he says.

"The challenge is many of the Web sites that you would exchange secure data with have not moved to that particular level of encryption. If you use it in the FDCC, the agency can't do business with those secure Web sites."

He adds that until the commercial sector, including many in the financial industry, adopt the encryption standard, agencies will not be able to enable this setting or they can't do business with those companies who do not use it.

Still, Page says anecdotally agencies are seeing big benefits from the FDCC.

The Air Force, for instance, is saving or avoiding spending $100 million a year because of reductions in staff and fewer help desk calls.

He says DoD also has seen a decrease in the number of successful cyber attacks.

Page says the next area Microsoft may develop secure configuration standards for is mobile communications.

"The costs are still fairly high, but we are headed down that path," he says.

-----

On the Web:

FederalNewsRadio -- Agency still struggling with FDCC

FederalNewsRadio -- Windows 7 ready for home AND office

(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)