Department of Defense standardizes on Windows 10

[Anteaus]

This is interesting. I wonder if the DoD gets a special build for security sensitive uses.

http://arstechnica.com/information-...tandardizes-on-windows-10-certifies-surfaces/

 

[yinan]

No they don't

 

[Elixer]

This is interesting. I wonder if the DoD gets a special build for security sensitive uses.

http://arstechnica.com/information-...tandardizes-on-windows-10-certifies-surfaces/

No, but I bet they do apply the correct group policies to prevent pretty much all settings that try to phone home.

 

[yinan]

Most of the time, even if those settings are not disabled ( which they are ), they couldn't get home if they wanted to. Air gapped networks.

 

[SparkyJJO]

Or maybe there were just a bunch of mole hills turned into mountains and there isn't near the kind of security risk that some people think there is.

 

[Anteaus]

Or maybe there were just a bunch of mole hills turned into mountains and there isn't near the kind of security risk that some people think there is.

I get your point, though risk is subjective. The level of the risk is only as large as the people who exploit it make it. In the case of this thread, unprompted data leakage of any kind in some of the security environments that the DoD is likely use a Windows PC can be a huge deal. This is less about Microsoft about being malicious (which I agree with you about) and more about general network security.

I just asked the question initially because I wondered if the DoD might have required MS to provide a custom build that might have adhered to a specific security requirement. Modifying a bit of code to honor a DoD contract, even if only a custom patch, is well within the realm of possibility if it means getting the contract or not. Even if they don't require modification, I'm all but certain that MS would be more transparent with them about what type of data that Windows 10 transmits than they would be with the average user.

 

[Charlie98]

Or maybe there were just a bunch of mole hills turned into mountains and there isn't near the kind of security risk that some people think there is.

Yea, OK.

 

[yinan]

I get your point, though risk is subjective. The level of the risk is only as large as the people who exploit it make it. In the case of this thread, unprompted data leakage of any kind in some of the security environments that the DoD is likely use a Windows PC can be a huge deal. This is less about Microsoft about being malicious (which I agree with you about) and more about general network security.

I just asked the question initially because I wondered if the DoD might have required MS to provide a custom build that might have adhered to a specific security requirement. Modifying a bit of code to honor a DoD contract, even if only a custom patch, is well within the realm of possibility if it means getting the contract or not. Even if they don't require modification, I'm all but certain that MS would be more transparent with them about what type of data that Windows 10 transmits than they would be with the average user.

If you think they provide more help to the government than the average business you are very funny. More often than not they provide worse.

 

[Ketchup]

Microsoft should be happy, as it is helping them reach their goal.
http://www.computerworld.com/articl...-ambitious-goal-of-1b-windows-10-devices.html
And if MS sticks to their plan of only updating what they already had (vs rolling out an entirely new OS), this should work out very well.

Anybody know what they had before?

 

[quikah]

I get your point, though risk is subjective. The level of the risk is only as large as the people who exploit it make it. In the case of this thread, unprompted data leakage of any kind in some of the security environments that the DoD is likely use a Windows PC can be a huge deal. This is less about Microsoft about being malicious (which I agree with you about) and more about general network security.

I just asked the question initially because I wondered if the DoD might have required MS to provide a custom build that might have adhered to a specific security requirement. Modifying a bit of code to honor a DoD contract, even if only a custom patch, is well within the realm of possibility if it means getting the contract or not. Even if they don't require modification, I'm all but certain that MS would be more transparent with them about what type of data that Windows 10 transmits than they would be with the average user.

I believe they need to do a Common Criteria certification. I am not sure if there are other audits that need to be completed for government to start using it. MS has been certifying their stuff for a long time now. https://msdn.microsoft.com/en-us/library/dd229319.aspx

Here is the Windows 10 CC cert report:
https://www.niap-ccevs.org/st/st_vid10677-st.pdf

 

[Anteaus]

I believe they need to do a Common Criteria certification. I am not sure if there are other audits that need to be completed for government to start using it. MS has been certifying their stuff for a long time now. https://msdn.microsoft.com/en-us/library/dd229319.aspx

Here is the Windows 10 CC cert report:
https://www.niap-ccevs.org/st/st_vid10677-st.pdf

Interesting.

The DoD actually is getting a custom implementation of Windows 10. It probably doesn't count as a custom build, but it is definitely not configured the same as you or I would see after a clean install. It is described as "security hardened" which presumably means that all non-intentional network radiation (did I just invent a phrase? ) is probably deactivated in the install image.

http://iasecontent.disa.mil/stigs/p...ration_to_Windows_10_Secure_Host_Baseline.pdf
https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SecureHostBaseline_Web.pdf

 

[yinan]

The install bits are the same, there are just GPOs and other things applied to the image. The gov't goes to the same volume download sites as everyone else.

 

[LPCTech]

Im sure the DOD "I.T. guys" can modify things however they require, to make it secure.

 

[yinan]

The security requirements and recommendations are available for anyone to implement. They really aren't a secret.

 

[ronbo613]

The security requirements and recommendations are available for anyone to implement. They really aren't a secret.

That puts any and all fears to rest

 

[Brian Stirling]

I bet the DOD has some help from the folks at the NSA and NRO to control what gets sent and to whom. If they aren't using them in this way and lots of other ways they're not doing there job.


Brian

 

[yinan]

All of these things are easy to control, even for home users. Just deny everything by default at the firewall level and only whitelist certain things. The DISA STIG is freely available to anyone who wants to download it, but the install bits are just downloaded from the MS volume license site. Plus on the airgapped networks, there isn't a route from there to microsoft.com so even if stuff wasn't turned off it couldn't get there.