The long road toward standard configuration

The keys to establishing a standard configuration for Windows desktop and notebook PCs, as required by the Office of Management and Budget, are essentially the same as for any large-scale migration: planning, policies and governance.Agency officials will have to test configurations in a nonproduction environment to identify adverse effects on a system's functionality, and then implement and automate enforcement for these configurations'tasks that could take a year or more, some experts say.The benefits should be worth it, though. Having preloaded, secure configurations of Windows software on desktops will let agencies tighten security and better manage desktop systems.A common hardware and software platform will provide a more predictable computing environment. Plus, administrators can push out patches and software updates more easily, experts say. It could even allow, eventually, for a relatively painless transition to Windows Vista.The good news is that agencies have a model in the Air Force, which embarked three years ago on a path to establish a common desktop configuration across the service with Windows XP.Karen Evans, OMB's administrator for e-government and IT, acknowledged in a memo to agency chief information officers last month that the Air Force could serve as a blueprint for the effort.OMB issued two memos to agency officials that set deadlines for the implementation of a standard desktop configuration for Windows XP and Vista within agencies. Agencies have to submit plans for the development and deployment of standard configurations by May 1 and implement them by February 2008.OMB is expanding governmentwide the work of the Air Force, Army, Defense Information Systems Agency, National Institute of Standards and Technology, National Security Agency and Homeland Security Department to develop a standard Windows configuration.Agencies are probably in various stages of adopting a standard configuration, said Kurt Kolcun, Microsoft federal division vice president.'We have been engaged with the Air Force to roll this out all along. There already has been a lot of dialogue and sharing across the [federal] CIO community, so they have an understanding of how to do this,' he said. Now, 'it is a matter of continuing to engage and share best practices.'Governance, proper planning and sound policy are the keys to a successful transition to a standard configuration environment, according to Ken Heitkamp, the Air Force's associate CIO for lifecycle management for warfighting integration.The Air Force would not have been successful without overriding governance and support from senior management, Heitkamp said. Officials viewed the move to an enterprise configuration and patch management process as part of an overall objective to increase security and reduce lifecycle management costs associated with desktop computer systems.NIST recommends that agency IT managers overseeing the move should first consult the security baselines posted on NIST's Web site (GCN.com/748).'Take a look at it. Study it. Understand it,' said Tim Grance, manager of systems and network security with NIST's information technology lab.Agency officials have to determine how the baselines work in conjunction with their own policies, operations and applications. They will have to customize it to their own environment.'If you do change the baseline, we ask people to document what those changes are,' Grance said.They must test the configurations as they would any software update, he added. Testing should be done in a nonproduction environment that closely approximates the operational IT infrastructure.'Thoroughly test it'not just for security, but how [the configurations] interact with applications, especially legacy applications,' Grance said.Heitkamp agreed. The Air Force tested for performance, compatibility, usability and power consumption, he said.For many agencies, the whole process of testing and deploying standard configurations will take some time, NIST's Grance said. 'Across a large, major enterprise it could take a year or a year and a half' to make the transition, he said.The Air Force made the transition to a standard configuration for Windows XP incrementally, Heitkamp said. The service built a configuration image of XP Service Pack 2, then tested and deployed it at four leading bases in 2005.A year ago, the configurations were on about 2,000 systems. Air Force officials gave the approval to deploy XP settings servicewide in March 2006.By the end of the year, 425,000 desktop and notebooks computers across the Air Force had been equipped with the settings, Heitkamp said.The important thing to note is that the service built a customized software image based on Microsoft security baselines. 'We're not giving people books or PowerPoint slides,' to learn how to set configurations, he said. Desktop users are being provided with images, and enterprise network administrators can control the settings over the network.The same process can be applied to newer versions of Windows software such as Vista, Office 2007 and Internet Explorer 7, Heitkamp said.The Air Force met for four days last November to define settings for Vista with officials from NSA, DISA, NIST, Microsoft, the Army, Navy and Marines, Heitkamp said.The services decided to share lessons learned and apply guidelines collectively. There will most likely be a few differences among the services' settings, he noted.The standard configuration should make the transition to Vista 'a piece of cake, because you can do the delta between XP and Vista,' said John Gilligan, vice president and deputy director of the defense sector at SRA International Inc. and a former Air Force CIO.'I heard it is a very modest amount of changes needed to be made, and those could be planned and made fairly easily,' Gilligan said. 'Every software release Microsoft issued, the Air Force owned. There is a huge cost to roll it out, but now that has been minimized so you can take advantage of new releases easier and at a reduced cost and timeline,' he said.