It is a complicated, arduous, and time-consuming task for even experienced system administrators to know what a reasonable set of security settings are for a complex operating system. NIST sought to make this task simpler, easier, and more secure. NIST believes, along with major segments of the security community, who participated in reviewing and testing these baseline settings that these settings make a substantial improvement in the security posture of Win2K Professional systems. By using and applying the expertise of the security community via these consensus settings and the NIST special publications and consciously patching or mitigating known vulnerabilities you can certainly markedly reduce your vulnerability exposure.

The special publication was developed by NIST. NIST started with some excellent material developed by the National Security Agency (NSA) and the Security Community. The NIST security templates development were initially based in part on the National Security Agency's (NSA) Win2K Pro guidance. NIST examined the NSA settings and guidance and built on the excellent material they developed. NIST conducted extensive analysis and testing of the NSA settings, substantially extended and refined the NSA template settings, and developed additional template settings. NIST developed detailed explanatory material for the template settings, Win2K Pro security configuration, and application specific security configuration guidance. Subsequently, NIST led the development of a consensus baseline of Win2K security settings in collaboration with the public and private sectors, specifically NSA, Defense Information Systems Agency (DISA), the Center for Internet Security (CIS), and the SysAdmin Network Security Institute (SANS). Microsoft also provided valuable technical commentary and advice. GSA also reviewed and concurred with the baseline. The consensus settings are reflected in the NISTWin2kProGold.inf security template.

The intended audience is composed of Windows 2000 Systems Administrators and technical Windows 2000 Professional users working in managed environments. The document assumes that the reader has some experience installing and administering Windows-based systems in domain or stand-alone configurations.

No. These recommendations and security templates should be applied only to the Windows 2000 Professional workstation.

This guide is intended for managed environments and NIST recommends that the users who are directly applying this guide to secure their computers have significant competence in the administration of Windows systems. Applying these settings to a home system may break legacy applications that are not Windows 2000 compliant.

Some legacy applications that are not Windows 2000 compliant may not function properly and may require additional testing and experimentation. Perform a full system backup before applying the recommendations.

Yes. Test the recommended settings on a carefully selected test machine before being applied to operational systems.

Power users group is an insecure group designed to provide backward compatibility for applications that are not certified for Windows 2000 and to perform basic administrative tasks in a Windows 2000 Professional workgroup environment.

Yes. The Appendix B and security templates will be updated to reflect the most current consensus settings.

The NIST templates represent the consensus settings found in the CIS template except that we add settings that will allow a user to operate Netscape Communicator 4.7x in a user context. In addition, the NISTWin2kProGoldPlus.inf template includes restrictions on various executables to provide added protection for sites that require it.

The CIS tool can be used to verify how well a system matches the recommended baseline security for Windows 2000 Professional. Refer to the Appendix C - Tools for a list of other tools, i.e. hfnetchk, MBSA, etc.

It is inevitable and appropriate that some local changes will need to be made to the baseline and the associated settings given the wide variation in operational and technical considerations that go into operating any major enterprise. With hundreds of settings and the myriad of applications used and supported by the Win 2000 Professional system and the variety of missions and business functions supported, this should be expected. Of course, use caution and good judgment in making changes to the security settings.

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Win 2000 Professional System nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. As stated above, NIST is not requiring agencies to select specific settings or options recommended in the publication. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security checklist.

• NIST Special Publication 800-41 - Guidelines on Firewalls and Firewall Policy.

• NIST Special Publication 800-28 - Guidelines on Active Content and Mobile Code.

• NIST Special Publication 800-46 - Security for Telecommuting and Broadband Communications.

• NIST Special Publication 800-40 - Procedures for Handling Security Patches.

• NIST Special Publication 800-48 - Wireless Network Security: 802.11, Bluetooth, and Handheld Devices.