IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

white space

Description of the Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist - Special Publication 800-68 (Draft)

NIST Special Publication 800-68 has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail. The guide provides insight into the threats and security controls that are relevant for various operational environments, such as for a large enterprise or a home office. It describes the need to document, implement, and test security controls, as well as to monitor and maintain systems on an ongoing basis. It presents an overview of the security components offered by Windows XP and provides guidance on installing, backing up, and patching Windows XP systems. It discusses security policy configuration, provides an overview of the settings in the accompanying NIST security templates, and discusses how to apply additional security settings that are not included in the NIST security templates. It demonstrates securing popular office productivity applications, Web browsers, e-mail clients, personal firewalls, antivirus software, and spyware detection and removal utilities on Windows XP systems to provide protection against viruses, worms, Trojan horses, and other types of malicious code. This list is not intended to be a complete list of applications to install on Windows XP system, nor does it imply NIST's endorsement of particular commercial off-the-shelf (COTS) products.

NIST requests comments by August 3, 2004. Comments and questions may be addressed to itsec@nist.gov.

Frequently Asked Questions - FAQ
1. Why did NIST develop this publication?

It is a complicated and time-consuming task for even experienced system administrators to know what a reasonable set of security settings are for a complex operating system such as Windows XP Professional. NIST sought to make this task simpler, easier, and more secure by developing this publication. NIST maintains, along with major segments of the security community who participated in reviewing and testing the publication's baseline settings, that the settings make a substantial improvement in the security posture of WinXP systems.

2. How does the SP 800-68 relate to the Federal Information Security Management Act (FISMA)?

One of the requirements of the FISMA legislation is that Federal agency systems must be compliant with minimally acceptable system configuration requirements. By implementing the publication's recommendations, its security templates, and its other general prescriptive recommendations, organizations should be able to meet the baseline system configuration requirements for Windows XP systems. This is based upon the management, operational, and technical security controls described in the draft NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems.

3. How does the SP 800-68 relate to the NIST Security Configuration Checklist For IT Products program?

The guide represents a typical security configuration checklist that would be listed eventually on the NIST program's checklist repository. It is consistent with the criteria outlined in the upcoming Special Publication 800-70, The NIST Security Configuration Checklist for IT Products Program. It was produced using the guidelines and security principles referenced in SP 800-70.

4. How were the publication and security templates developed?

The publication was developed by NIST; however, NIST started with excellent material developed by the National Security Agency (NSA), DISA (Defense Information Systems Agency), Microsoft, and other members of the security community. NIST collaborated with NSA, DISA, the Center for Internet Security (CIS) and Microsoft to produce the publication's consensus baseline settings for various operational environments.

5. Who is the intended audience?

The intended audience is Windows XP Systems Administrators and technical Windows XP Systems users. The document assumes that the reader has some experience installing and administering Windows-based systems in domain or stand-alone configurations.

6. I have a Windows XP Home Edition, Windows 95, Windows 98, Windows NT, Windows 2000, or Windows Server 2003. Should I apply these templates to my machine?

No. These recommendations and security templates may break your system. The templates should be applied only to Windows XP Professional systems.

7. Will non-WinXP compliant legacy applications be broken if I install these templates?

Some legacy applications that are not Windows XP compliant may not function properly and may require additional testing and experimentation. Perform a full system backup before applying the recommendations.

8. Should I test this before applying it in my environment?

Yes. Test the recommended settings on a carefully selected test machine first.

9. What about power users?

Power Users is an insecure group designed to (1) provide backward compatibility for applications that are not certified for Windows XP, and (2) perform basic administrative tasks in a Windows XP Systems workgroup environment. It is restricted from use by the publication's templates.

10. How do the NIST template relate to the templates developed by CIS?

The NIST templates represent the consensus settings found in the CIS templates. The NIST SOHO template is equivalent to the CIS Enterprise Mobile template. In addition, the NIST templates restrict the Power Users group.

11. What is the impact caused by applying the High Security template?

The High Security template contains the more restrictive settings and
will reduce the functionality and interoperability of the Windows XP system. It will reduce the usability of a typical system found in a multi-purpose home environment and will break legacy or other general-purpose applications. It should be only be used by the experienced security specialists and seasoned system administrators who understand the impact of implementing these strict requirements.

12. Is NIST going to keep this up-to-date?

Yes. The Appendix A and security templates will be updated to reflect the most current consensus settings.

13. Should I make changes to the baseline settings?

Given the wide variation in operational and technical considerations for operating any major enterprise, it is appropriate that some local changes will need to be made to the baseline and the associated settings (with hundreds of settings, a myriad of applications, and the variety of business functions supported by Windows XP Systems, this should be expected). Of course, use caution and good judgment in making changes to the security settings. Always test the settings on a carefully selected test machine first and document the implemented settings.

14. Is NIST endorsing or mandating the use of the Windows XP Systems or requiring each setting be applied as stated?

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows XP Systems nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security configuration checklist.

E-mail Notification of Updates

If you would like to be notified of updates to the Special Publication 800-68, send an e-mail message to itsec@nist.gov requesting to be on the notification list.


white space



Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. These recommendations should be applied only to the Windows XP Systems and will not work on Windows 9X/ME, Windows NT, Windows 2000 or Windows Server 2003. The security templates have been tested on WinXP Professional systems and will not work on Windows 9X/ME, Windows NT, Windows 2000 or Windows Server 2003.

This document is only a guide containing recommended security settings; it is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns.

This document was developed at the National Institute of Standards and Technology, which collaborated with NSA, DISA, CIS, and Microsoft to produce the Windows XP security templates. Pursuant to title 17 Section 105 of the United States Code this document and template are not subject to copyright protection and is in the public domain. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. We would appreciate acknowledgement if the document and template are used.

Download Packages

Updates History
  • Security Templates (.inf files)
    • 2004-07-04 - Draft Update R1.0.1
      Setting 5.26 (all templates) - Correct typo in the DOJ message.
      Setting 12.5 (all templates) - Correct typo in the registry value.
    • 2004-06-24 - Draft Release R1.0

  • Draft Guidance for Securing Microsoft Windows XP Systems for IT Professionals document
    • 2004-07-04 - Draft Update
      Delete a blank page.
      Setting 12.5 (Appendix A) - Correct typo in the registry value.
    • 2004-06-24 - Draft Release

Comments and Questions
NIST requests comments by August 3, 2004. Comments and questions may be addressed to itsec@nist.gov.