In releasing a set of benchmarking security standards for Windows 2000 professional, the standards' creators said their chief goal of this move -- and others to follow -- is to get PC and software vendors to ship systems with user-specific security standards in place.
Preconfigured systems would save end users time and money, said those backing the standards, which included a host of government agencies.
"We want to use the power of a user consensus to influence the vendors and [original equipment manufacturers] to secure these systems before they ever ship them, at least to a minimal level," said Clint Kreitner, president and CEO of the Computer Security Institute (CIS).
Today, systems are typically shipped "wide open", leaving it up to users to configure the system.
If vendors put in security settings before products are shipped, "we can install it and run it, rather than go through another process," said John Gilligan, CIO of the Air Force. Today, military IT professionals must configure and test security settings before deploying each workstation, he said.
The standard released today gives users a "preflight checklist" of security settings. Administrators can use the baseline standard to configure systems before rolling them out to users. Gilligan said he wants to continue the effort to examine a broader set of products. CIS is working on additional Windows, Linux and Apache benchmarks, among others.
Getting security settings correct upfront is important; about 80 per cent of successful penetrations are due to known exploits, said Gilligan.
US-based CIS is a non-profit group whose members include an extensive list of major companies. Working with these members, CIS has developed similar benching marks for Linux, Sun Microsystems' Solaris and Hewlett-Packard's HP-UX, among other systems.
What made yesterday's announcement unique was the extensive involvement of government agencies, including the General Services Administration, National Institute of Standards and Technology, Defense Information Systems Agency and the National Security Agency. Many of these agencies have already developed security benchmarks, although they differed.
Microsoft also worked to develop the benchmark.
This latest effort won a White House endorsement from Richard Clarke, special advisor to the president on cyberspace security, who called the private and public sector collaboration "an example of how things should be done," at a news conference yesterday to detail the standard.
This private and government collaboration is important to the White House, which intends to release September 19 a national strategy for security information networks in Silicon Valley.
That report, which will include an extensive list of recommendations for improving cybersecurity, will rely heavily on private-sector fixes -- not government regulations -- for improved security, said Clarke.
The benchmark released today doesn't address software design issues, or security breaches resulting from software bugs. A recent federal study said such bugs are costing end users and developers some $US60 billion annually.
Clarke, who has called on vendors to improve the security of their products, said the benchmark is evidence of improvement.
But he said the "greatest example" of changing attitudes was Microsoft chairman Bill Gates' directive that security be the number one design criteria, as well as shipping out-of-box configurations in the future that have all the security benchmarks turned on.
"I think that's a big change," said Clarke. Other vendors are also improving security, he said.
"I believe the next generation of operating systems and major applications that we see will probably also reflect a massive improvement in quality work done from the beginning to ensure that security is designed in," said Clarke.