Air Force raises bar on desktop security

The Air Force plans to test its new Microsoft standard desktop computer configuration at five field sites later this month. The service wants to install the configuration on 70 percent of its computers by June 2006 and on the rest by the end of 2006, Air Force and industry officials said.

The Air Force will distribute Microsoft software with standard security configurations servicewide to improve network security and management. Military and civilian agencies are watching the testing because they could use the software governmentwide early next year.

Many security problems associated with Microsoft software occur when users do not properly configure their systems. As part of this initiative, the Air Force is standardizing desktop PCs that are set up with all appropriate controls in place.

"We are very pleased with our early test results and look forward to significant advances in network operations and security as the Air Force standard desktop configuration is implemented across our enterprise during 2006," said Rob Thomas, deputy chief of the Office of the Secretary of the Air Force, Chief of Warfighting Integration and Chief Information Officer.

The Air Force has tested various versions of the standard desktop PC configuration in labs at many locations since May. The results identified minor incompatibilities with a number of government-developed software applications, and the Air Force is correcting those problems, a service spokeswoman wrote in an e-mail.

Developers at the five field sites will study implementation processes and correct further hardware and software compatibility problems. After the Air Force writes a test report and makes necessary corrections, its leaders will approve servicewide implementation, the service spokeswoman said.

Government agencies can use the standard desktop PC configuration after the Air Force tests it and service leaders approve its implementation. Agency officials can use any part of the configuration, "from the configuration settings up to the actual image that will be installed on the workstations, consistent with their licensing status regarding the 19 applications and plug-ins that comprise the image," the spokeswoman said.

The Air Force's preconfigured bundle of Microsoft software includes the Windows XP operating system, Office suite, Internet Explorer, and portions of Windows Server 2003 and other applications. The service calls it a software image.

"My personal assessment is that [the Office of Management and Budget] and the CIO Council may wait until after the results of the initial testing to finalize their strategy for potential deployment of the standard configurations across other agencies," said John Gilligan, the service's former CIO who helped develop the initiative. He is now a vice president and deputy director at SRA International's defense business unit.

The testing is important because attacks come within days of vulnerability and patch announcements and agencies cannot maintain their computer defenses if they cannot quickly patch, said Alan Paller, director of research at the SANS Institute, a nonprofit organization that monitors computer security.