ASD releases Windows 8 hardening guide


news The Australian Signals Directorate appears to have released a guide to hardening Microsoft’s Windows 8 operating system, three years after the software was released for use by corporate customers, and as Microsoft is slated to release its next upgrade, Windows 10.

The Australian Signals Directorate, which has the motto Reveal Their Secrets — Protect Our Own, is one of the key Federal Government agencies responsible for protecting the security of public sector IT systems. It publishes its Information Security Manual — the key document which consists of a standard governing the security of government IT systems — as well as a list of approved devices for use in Government, and manuals for hardening IT platforms so they can be securely used in Government.

However, the agency is known for being substantially behind the times when it comes to approving modern technology to be upgraded.

For example, ASD only approved Apple iPhone and iPad devices for use within the Federal Government in April 2012, almost four years after the iPhone first launched in Australia, and at a stage where Apple’s iOS platform was considered suitable for secure corporate deployments. The iPad, which runs the same iOS platform, launched in April 2010. Demand was so great for the Apple platforms within the Federal Government that a number of politicians and public servants bought their own personal device and were carrying two units — an official Government model, often a BlackBerry, and a personal Apple iPhone.

Similarly, ASD only reportedly started certifing the Android platform for Government use in May 2013, after the point where Android started to dominate global marketshare for smartphone shipments. At that stage, only Samsung units were supported by ASD.

Currently, ASD’s official Evaluated Products List appears to contain only Apple and BlackBerry mobile devices, despite the fact that the BlackBerry handset platform is regarded as legacy by corporations and governments globally, having been largely superceded by platforms from Apple, Android (often Samsung) and Microsoft (with its Nokia acquisition). It is not clear why only the two Apple and BlackBerry platforms appear to be supported.

According to the ASD’s website, it appears to be similarly behind when it comes to desktop platforms.

As first noted by Computerworld, this month the agency published hardening guides to the Microsoft Windows 7 Service Pack 1, Windows 8.1, and Office 2013 platforms, as well as content management systems. Windows 7 Service Pack 1 was released in February 2011, while Windows 8 was released to manufacturing in August 2012 — three years ago — with the updated Windows 8.1 eing released ot manufacturing oin August 2013. Office 2013 was released to manufacturing in October 2012.

The news comes as Microsoft is releasing newer versions of its software. The company released Windows 10 to manufacturers on July 15 this year, and Office 2016 is slated to be released later this year.

To be honest, I’m not sure entirely what we’re seeing here. The Australian Signals Directorate isn’t the most transparent of organisations at the best of times, and things often get a little confusing when you’re trying to assess what it’s up to.

However, what I think we’re seeing is that the organisation currently only officially supports Apple and BlackBerry on its mobile devices Evaluated Products List, and that it has only just released hardening guides for a bunch of other Microsoft software which is several years old.

In one sense this is fairly normal and expected behaviour. Many corporates and government organisations tend to lag a few releases behind new software upgrades — they tend to focus on long-term, stable releases. In this vein, we’ve seen a lot of organisations stick with the stable Windows XP platform, not upgrading until it became Windows 7 was as stable and much more updated in terms of the features it offered. In comparison, Windows Vista and Windows 8 have not been as widely adopted.

However, on the other hand, it does feel like the ASD is getting woefully out of date here. I would expect that Office 2013 had been adopted by quite a few government organisations already, and the same for Windows 7 Service Pack 1. When you lag behind even government agencies, you know you’re quite a bit out of date when it comes to technology. How long will it take ASD to release a hardening guide for Windows 10? And will it ever start to get serious about Android? I thought that was already wrapped up, but I can’t find much about it on ASD’s website.

Perhaps I’m wrong on all these matters. I’d welcome comment from anyone in the public sector as to what’s happening here — happy to be corrected and to correct the record.

Image credit: Microsoft


  1. “…it is not clear why only the two Apple and BlackBerry platforms appear to be supported…”

    In my experience, it’s a murky pool of confusion. I can’t speak too much towards BlackBerry because I don’t know enough about it from a technical perspective, but in corporate deploys, Apple *IS* much easier to secure than Android.

    The only version of Android I know of that has been ratified for government/secure use is a heavily modified version which (basically) adds SELinux and some other hardening tools to it. That information is about 18 months old – (the last time I dealt with government/defence applications) – so there may be more examples now.

    The underlying Android OS is a lot less tightly controlled than a lot of people realise.

    • The thing that confuses me is that I know the Federal Parliament provides Samsung Androids to staff, alongside iPhones etc. So why is the Federal Parliament supplying Android devices if ASD hasn’t ratified them …?

  2. Windows 10 is going to be an interesting one, especially since MS is changing the entire development lifecycle for windows.

    As was evident when MS released Windows 8.1 Update 1, and will be especially evident with Windows 10, MS are no longer doing the whole service pack thing, they will incrementally roll out changes/improvements/patches/bug-fixes/whatever to Win10 via Windows Update.

    In this sense, I wonder how a lot of organisations will adapt to this, I do believe MS are going down the road of informing those subscribed to the necessary channels to let them know what a WinUpdate patch will provide, but will it be early enough, lots of organisations deliberately wait for Service Pack 1 of a new WIndows OS before updating.

    • Windows 10 has a “special” update method for business called “Windows Update for Business”, which I believe operates the same, or at least similar to, WSUS. It will allow businesses to delay updates until they have ratified the updates through testing first.

      Home users, on the other hand, are “update guinea pigs” (they can’t turn Windows Update off at all… which is a good thing for my parents…)

      • Yes, this is indeed right, except that Home Users who use Pro (which is easily purchased from a shop) have complete control over WinUpdate too, it’s only the Home edition itself where they are permanently on.

        With regards to the business one, being able to control updates and knowing what an update changes are 2 different things. Previously, a business knew what they were installing was a service pack, now, they’ll have to apply every update and see what happens.

        • ” Home Users who use Pro (which is easily purchased from a shop) have complete control over WinUpdate too”
          This is incorrect. Windows 10 Pro users are also forced to install all updates, with the ability to schedule a Restart after the installation up to a week after it’s installed. The Defer option simply relates to upgrades and new features.

          • I believe Pro users can defer updates but will only receive support if “up to date”.

            Home users have no such option. Which is causing some consternation in the areas of driver updates etc.

          • Every tester running the latest build (10240, said to be RTM) is running Windows 10 Pro. There is a Defer option, but according to MS themselves:
            “When you defer upgrades, new Windows features won’t be downloaded or installed for several months. Deferring upgrades doesn’t affect security updates.”

            The wide-spread belief that Windows 10 Pro gives users control to defer updates for up to x months is, going by MS’ page, a complete fabrication.

  3. “… ASD only reportedly started certifying the Android platform for Government use in May 2013, after the point where Android started to dominate global marketshare for smartphone shipments…”

    I expect primarily because Android is only now just catching up to iOS in terms of security and still has major issues; for example today’s public disclosure of #stagefright which allows remote code execution on over 90% of Android powered devices.

    There’s no point investing in the complete certification of a product that you know already has multiple holes in it.

  4. Computerworld Australia is the leading source of technology news, analysis and tools for IT decision makers, managers and professionals. The Australian Signals Directorate has released a collection of four new hardening guides designed to help government agencies secure their IT environments.

Comments are closed.