A link to the National Security Agency’s (NSA) guidance on hardening operating systems has been floating around various blogs today. But the NSA’s guidance on configuring Windows 7 and other recent operating systems is, to put it mildly, a bit incomplete.
What one government agency doesn’t do, another probably does. That’s usually a safe assumption at least. Enter the Defense Information Systems Agency (DISA). If you want to harden recent Windows operating systems, visit http://iase.disa.mil/stigs/index.html for guidance.
DISA’s documentation can be a bit cryptic, so it’s not for beginners. Their stance, most likely, is that if they have to explain it, they don’t want you doing it anyway.
And if you do everything in a STIG, chances are you’re going to break stuff. So if you’re not sure whether you should do something, make a restore point, then do it. That way you can back out of it. The first time I learned about this guidance, sometime in the 2004-05 timeframe, doing everything in the guide was a great way to end up with a system that wouldn’t boot. The current guides seem to be better about that, but you should still proceed with caution, and you probably should build a new system and practice on it before using these guides to lock down your everyday desktop PC.
If you want to lock down a computer with best-of-breed security, you can do worse than to use government standards. The U.S. government has been in the computer security documentation business since at least 1983, when it started producing the famous “rainbow series” of books. They are no longer the first and last word in government security, but their influence remains. For example, Windows NT 4.0 was designed to be able to meet Orange Book specifications, an ability inherited by all modern versions of Windows.