Microsoft has developed an ultra-secure version of Windows XP, with many settings locked down by default. But the hardened OS isn’t for sale to the general public; it’s made specifically for the military. Microsoft built the secure version of XP a few years ago at the direction of the Air Force, which had grown weary of the constant updates to other Windows versions and had just seen its network defenses abused in a pentration test by the National Security Agency.
In response, the Air Force went to Microsoft and leaned on the software giant to put together a hardened version of XP, built to the service’s specifications. As Wired.com’s Threat Level reports:
The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as an template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.
Security experts have been arguing for this “trickle-down” model for years. But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.
Various government agencies have in fact tried this tactic before, with various levels of success. The Department of Energy signed a contract with Oracle in 2003 that specified various minimum security settings in the company’s products. Little has been heard of this effort since then, however.
While this version was built to the Air Force’s specifications, both home users and IT shops can benefit from the work by applying the secure configuration settings for Windows XP published by the National Institute of Standards and Technology. The guidelines are step-by-step walkthroughs for locking down machines running XP, and there are similar guides for Windows Vista and other products on the NIST site.