Description
of the Guidance for Securing Microsoft Windows XP Systems
for IT Professionals: A NIST Security Configuration
Checklist - Special Publication 800-68 (Draft)
|
|
NIST Special Publication 800-68 has been created
to assist IT professionals, in particularly Windows XP system
administrators and information security personnel, in effectively
securing Windows XP systems. It discusses Windows XP and
various application security settings in technical detail.
The guide provides insight into the threats and security
controls that are relevant for various operational environments,
such as for a large enterprise or a home office. It describes
the need to document, implement, and test security controls,
as well as to monitor and maintain systems on an ongoing
basis. It presents an overview of the security components
offered by Windows XP and provides guidance on installing,
backing up, and patching Windows XP systems. It discusses
security policy configuration, provides an overview of the
settings in the accompanying NIST security templates, and
discusses how to apply additional security settings that
are not included in the NIST security templates. It demonstrates
securing popular office productivity applications, Web browsers,
e-mail clients, personal firewalls, antivirus software, and
spyware detection and removal utilities on Windows XP systems
to provide protection against viruses, worms, Trojan horses,
and other types of malicious code. This list is not intended
to be a complete list of applications to install on Windows
XP system, nor does it imply NIST's endorsement of particular
commercial off-the-shelf (COTS) products.
NIST
requests comments by August 3, 2004. Comments and questions
may be addressed to itsec@nist.gov.
|
Frequently
Asked Questions - FAQ
|
| 1. |
Why
did NIST develop this publication? |
| |
It is a complicated and time-consuming task for even
experienced system administrators to know what a reasonable
set of security settings are for a complex operating
system such as Windows XP Professional. NIST sought
to make this task simpler, easier, and more secure
by developing this publication. NIST maintains, along
with major segments of the security community who participated
in reviewing and testing the publication's baseline
settings, that the settings make a substantial improvement
in the security posture of WinXP systems.
|
| 2. |
How
does the SP 800-68 relate to the Federal Information
Security Management Act (FISMA)? |
| |
One of the requirements of the FISMA legislation is
that Federal agency systems must be compliant with
minimally acceptable system configuration requirements.
By implementing the publication's recommendations,
its security templates, and its other general prescriptive
recommendations, organizations should be able to meet
the baseline system configuration requirements for
Windows XP systems. This is based upon the management,
operational, and technical security controls described
in the draft NIST Special Publication (SP) 800-53,
Recommended Security Controls for Federal Information
Systems.
|
| 3. |
How
does the SP 800-68 relate to the NIST Security Configuration
Checklist For IT Products program? |
| |
The guide represents a typical security configuration
checklist that would be listed eventually on the NIST
program's checklist repository. It is consistent with
the criteria outlined in the upcoming Special Publication
800-70, The NIST Security Configuration Checklist for
IT Products Program. It was produced using the guidelines
and security principles referenced in SP 800-70.
|
| 4. |
How
were the publication and security templates developed? |
| |
The publication was developed by NIST; however, NIST
started with excellent material developed by the National
Security Agency (NSA), DISA (Defense Information Systems
Agency), Microsoft, and other members of the security
community. NIST collaborated with NSA, DISA, the Center
for Internet Security (CIS) and Microsoft to produce
the publication's consensus baseline settings for various
operational environments.
|
| 5. |
Who
is the intended audience? |
| |
The intended audience is Windows XP Systems Administrators
and technical Windows XP Systems users. The document
assumes that the reader has some experience installing
and administering Windows-based systems in domain or
stand-alone configurations.
|
| 6. |
I
have a Windows XP Home Edition, Windows 95, Windows
98, Windows NT, Windows 2000, or Windows Server 2003.
Should I apply these templates to my machine? |
| |
No. These recommendations and security templates may
break your system. The templates should be applied
only to Windows XP Professional systems.
|
| 7. |
Will
non-WinXP compliant legacy applications be broken
if I install these templates? |
| |
Some legacy applications that are not Windows XP compliant
may not function properly and may require additional
testing and experimentation. Perform a full system
backup before applying the recommendations.
|
| 8. |
Should
I test this before applying it in my environment? |
| |
Yes. Test the recommended settings on a carefully
selected test machine first.
|
| 9. |
What
about power users? |
| |
Power Users is an insecure group designed to (1) provide
backward compatibility for applications that are not
certified for Windows XP, and (2) perform basic administrative
tasks in a Windows XP Systems workgroup environment.
It is restricted from use by the publication's templates.
|
| 10. |
How
do the NIST template relate to the templates developed
by CIS? |
| |
The NIST templates represent the consensus settings
found in the CIS templates. The NIST SOHO template
is equivalent to the CIS Enterprise Mobile template.
In addition, the NIST templates restrict the Power
Users group.
|
| 11. |
What
is the impact caused by applying the High Security
template? |
| |
The High Security template contains the more restrictive
settings and
will reduce the functionality and interoperability of the Windows
XP system. It will reduce the usability of a typical system found
in a multi-purpose home environment and will break legacy or
other general-purpose applications. It should be only be used
by the experienced security specialists and seasoned system administrators
who understand the impact of implementing these strict requirements.
|
| 12. |
Is
NIST going to keep this up-to-date? |
| |
Yes. The Appendix A and security templates will be
updated to reflect the most current consensus settings.
|
| 13. |
Should
I make changes to the baseline settings? |
| |
Given the wide variation in operational and technical
considerations for operating any major enterprise,
it is appropriate that some local changes will need
to be made to the baseline and the associated settings
(with hundreds of settings, a myriad of applications,
and the variety of business functions supported by
Windows XP Systems, this should be expected). Of course,
use caution and good judgment in making changes to
the security settings. Always test the settings on
a carefully selected test machine first and document
the implemented settings.
|
| 14. |
Is
NIST endorsing or mandating the use of the Windows
XP Systems or requiring each setting be applied
as stated? |
| |
No. NIST does not endorse the use of any particular
product or system. NIST is not mandating the use of
the Windows XP Systems nor is NIST establishing conditions
or prerequisites for Federal agency procurement or
deployment of any system. NIST is not precluding any
Federal agency from procuring or deploying other computer
hardware or software systems for which NIST has not
developed a publication or a security configuration
checklist.
|
|
E-mail
Notification of Updates
|
|
If you
would like to be notified of updates to the Special Publication
800-68, send an e-mail message to itsec@nist.gov requesting
to be on the notification list.
|
|
-
DOWNLOAD PAGE -
|
WARNING
NOTICE
|
|
Do
not attempt to implement any of the settings in
this guide without first testing them in a non-operational
environment. These recommendations should be applied
only to the Windows XP Systems and will not work
on Windows 9X/ME, Windows NT, Windows 2000 or Windows
Server 2003. The security templates have been tested
on WinXP Professional systems and will not work
on Windows 9X/ME, Windows NT, Windows 2000 or Windows
Server 2003.
This
document is only a guide containing recommended security
settings; it is not meant to replace well-structured
policy or sound judgment. Furthermore this guide
does not address site-specific configuration issues.
Care must be taken when implementing this guide to
address local operational and policy concerns.
This
document was developed at the National Institute
of Standards and Technology, which collaborated with
NSA, DISA, CIS, and Microsoft to produce the Windows
XP security templates. Pursuant to title 17 Section
105 of the United States Code this document and template
are not subject to copyright protection and is in
the public domain. NIST assumes no responsibility
whatsoever for its use by other parties, and makes
no guarantees, expressed or implied, about its quality,
reliability, or any other characteristic. We would
appreciate acknowledgement if the document and template
are used.
|
|
Comments
and Questions
|
| NIST
requests comments by August 3, 2004. Comments and questions
may be addressed to itsec@nist.gov.
|
|
|
|
|
