At long last, a version of the U.S. Government Configuration Baseline (USGCB) for Red Hat Linux Desktop is in the house. The first set of USGCB security requirements were created some five years ago by the Office of Management and Budget, specifically for Windows Vista, with the assurance that other OSes would follow. With the proliferation of Macs and iPads, I'm surprised not to see a USGCB for Apple products. How far behind can the mobile platforms be?
If you aren't familiar with the USGCB security recommendations, you should be -- even if they aren't required of your company. They provide a useful benchmark for comparing your own security requirements against those that have been reviewed time and again by professionals.
The current USGCB requirement is a collection of more than 337 security settings for Windows and 115 settings for Internet Explorer 8. They set a fairly strict baseline, somewhere between the EC (Enterprise Client) and SSLF (Specialized Security -- Limited Functionality) baseline from Microsoft, my full-time employer.
At times the USGCB has been too strict. Three years ago, I submitted 60 settings that I thought were overly restrictive, and there were at least 10 settings that almost no one implemented, such as enabling the FIPS security standard, which breaks nearly a dozen commonly used features.
What makes the USGCB such a compelling security recommendation is its multiyear review by hundreds of security experts and the people in charge of deploying it. Vendors, NIST (National Institute of Standards and Technology) employees, U.S. government workers, and the reviewing public have spent a good portion of their professional lives over the past few years seeking a good balance of default security and usability.
Having been intimately involved in that process at one time for a year, I can tell you it wasn't always pretty. Major applications and websites were broken and nerves frayed. But what has come out of the process is a fairly robust and accepted, aggressive security standard.