All U.S. Government computers are finally required to conform to one of two configurations. White House Memo M-07-11, further clarified in M-07-18 directs all government agencies to use a single hardening guide. M-07-18 clarifies that it is to be the NIST guide.

Overall, this is welcome news. The agencies finally will have an argument against the army of Nessus-armed "auditors" they have been battling with for years. Finally, they can point to something when said "auditor" claims they would be negligent unless they replace Everyone with Authenticated Users throughout the file system, and disable the netlogon service. 

Of course, there is one thing that bothers me a bit. There are only two levels in the NIST guide. The Enterprise level (let's hope that's what they all chose to use) and the Specialized Security Limited Functionality (SSLF) level. Notwithstanding the warnings about the SSLF level breaking things, it is a sure bet the "auditors" will demand that it be used throughout. Whether a system is embedded Windows running a gas pump at Baghram Air Force Base, or the receptionist's computer at the Bureau of Indian Affairs office in Winnebago, or a signals processing computer in one of the unmentionable intelligence agencies, you can bet that the report will require the SSLF configuration. That's a battle that still remains.

Still, this really is a good thing all around. The U.S. Government today has hundreds, if not thousands, of configurations, and lose thousands, if not hundreds of thousands, of computers every year to unsupportable security settings and attacks that were successful because of bad settings. It is also a dream come true for Microsoft, which can now focus support for the largest set of customers it has on two well-defined configurations. It also is wonderful to see recommended language in M-07-18 that specifies that users should run with least privilege and sets requirements on applications for how they should work. Finally, two of the biggest sources of security headaches have a mandate to be fixed.

The only thing one might wish now is that the Vista Security Guide were cleaned up a bit. For instance, the settings which do not exist on Vista could be removed. That would mean we finally have a government configuration that makes sense.

Read the complete post at http://msinfluentials.com/blogs/jesper/archive/2007/07/03/unified-hardening-guidance-for-the-u-s-government.aspx