Two weeks ago Wired reported that Microsoft made a custom version of Windows XP for the Air Force.  The story was widely reported all over the Internet showering praise upon Microsoft for their efforts.  Unfortunately this story has turned out to be inaccurate.

What Microsoft actually did was help the Air Force secure their normal Windows XP by contributing to the Federal Desktop Core Configuration (FDCC).  The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration. The FDCC currently exists for Microsoft Windows Vista and XP operating system software.

Basically it is a government effort to define the best security settings.  As a result of the original Wired report many people expressed interest in obtaining a copy of the secure version of XP.  Thankfully as a result of this government effort, you can.  The security settings as well as Virtual Hard Drive files that you can modify according to your specific needs.

The original article could have cleared up a lot of this confusion if Microsoft had been more willing to communicate about it.  Thankfully a Microsoft employee took the initiative and got the truth out about this story.

Thanks for covering this topic, but unfortunately the reporter for the original article got a lot of the major facts, which you relied upon, wrong. For instance, there isn’t a special version of Windows for the Air Force. They use the same SKUs as everyone else. We didn’t deliver a special settings that only the Air Force can access. The Air Force asked us to help them to create a hardened gpos and images, which the AF could use as the standard image. We agreed to assist, as we do with any company that hires us to assist in setting their own security policy as implemented in Windows.

The work from the AF ended up morphing into the Federal Desktop Core Configuration (FDCC) recommendations maintained by NIST. There are differences, but they are essentially the same thing. NIST initially used even more secure settings in the hardening process (many of which have since been relaxed because of operational issues, and is now even closer to what the AF created).

Anyone can download the FDCC settings, documentation, and even complete images. I worked on the FDCC project for little over a year, and Aaron Margosis has been involved for many years, and continues to be involved. He offers all sorts of public knowledge and useful tools. Here, Aaron has written a couple of tools that anyone can use to apply FDCC settings to local group policy. It includes the source code, if anyone wants to customize them.

In the initial article, a lot of the other improvements, such as patching, came from the use of better tools (SCCM, etc.), and were not necessarily solely due to the changes in the base image (although that certainly didn’t hurt). So, it seems the author mixed up some of the different technology pushes and wrapped them up into a single story. He also seem to imply that this is something special and secret, but the truth is there is more openness with the FDCC program and the surrounding security outcomes than anything we’ve ever done before. Even better, there are huge agencies that have already gone first in trying to use these harden settings, and essentially been beta testers for the rest of the world. The FDCC settings may not be the best fit for every company, but it is a good model to compare against.

Let me know if you have any questions.

Roger A. Grimes, Security Architect, ACE Team, Microsoft

Check It Out> FDDC, Downloads, Bruce Schneier’s Blog via The Tech Herald