CSRC
System Administration |
|
MS
Windows
|
|
Other
Resources |
|
Our
Sponsor |
|
|
|
|
|
Description
of the NIST Systems Administration Guidance for Windows 2000 Professional
- Special Publication 800-43
|
The Systems
Administration Guidance for Windows 2000 Professional publication
is intended to assist the users and system administrators of Windows
2000 Professional systems in configuring their hosts by providing
configuration templates and security checklists. The guide provides
detailed information about the security features of Win2K Pro, security
configuration guidelines for popular applications, and security
configuration guidelines for the Win2K Pro operating system. The
guide documents the methods that the system administrators can use
to implement each security setting. The principal goal of the document
is to recommend and explain tested secure settings for Win2K Pro
workstations with the objective of simplifying the administrative
burden of improving the security of Win2K Pro systems.
This guidance
document also includes recommendations for testing and configuring
common Windows applications. The application types include electronic
mail (e-mail) clients, Web browsers, productivity applications,
and antivirus scanners. This list is not intended to be a complete
list of applications to install on Windows 2000 Professional, nor
does it imply NIST's endorsement of particular commercial off-the-shelf
(COTS) products. Many of the configuration recommendations for the
tested Windows applications focus on deterring viruses, worms, Trojan
horses, and other types of malicious code. The guide presents recommendations
to protect the Windows 2000 Professional system from malicious code
when the tested applications are being used.
Comments and
questions may be addressed to itsec@nist.gov.
|
Frequently
Asked Questions - FAQ
|
1.
|
Why
did NIST develop this publication? |
|
It is a complicated, arduous, and time-consuming task for
even experienced system administrators to know what a reasonable
set of security settings are for a complex operating system.
NIST sought to make this task simpler, easier, and more secure.
NIST believes, along with major segments of the security community,
who participated in reviewing and testing these baseline settings
that these settings make a substantial improvement in the
security posture of Win2K Professional systems. By using and
applying the expertise of the security community via these
consensus settings and the NIST special publications and consciously
patching or mitigating known vulnerabilities you can certainly
markedly reduce your vulnerability exposure.
|
2.
|
How
were the publication and security templates developed? |
|
The special publication was developed by NIST. NIST started
with some excellent material developed by the National Security
Agency (NSA) and the Security Community. The NIST security
templates development were initially based in part on the
National Security Agency's (NSA) Win2K Pro guidance. NIST
examined the NSA settings and guidance and built on the excellent
material they developed. NIST conducted extensive analysis
and testing of the NSA settings, substantially extended and
refined the NSA template settings, and developed additional
template settings. NIST developed detailed explanatory material
for the template settings, Win2K Pro security configuration,
and application specific security configuration guidance.
Subsequently, NIST led the development of a consensus baseline
of Win2K security settings in collaboration with the public
and private sectors, specifically NSA, Defense Information
Systems Agency (DISA), the Center for Internet Security (CIS),
and the SysAdmin Network Security Institute (SANS). Microsoft
also provided valuable technical commentary and advice. GSA
also reviewed and concurred with the baseline. The consensus
settings are reflected in the NISTWin2kProGold.inf security
template.
|
3.
|
Who
is the intended audience? |
|
The intended audience is composed of Windows 2000 Systems
Administrators and technical Windows 2000 Professional users
working in managed environments. The document assumes that
the reader has some experience installing and administering
Windows-based systems in domain or stand-alone configurations.
|
4.
|
I have
a Windows NT, Windows XP, or Windows 2000 server. Should I apply
these templates to my machine? |
|
No. These recommendations and security templates should be
applied only to the Windows 2000 Professional workstation.
|
5.
|
I am
a home user. Should I apply this to my Windows 2000 Professional
system? |
|
This guide is intended for managed environments and NIST
recommends that the users who are directly applying this guide
to secure their computers have significant competence in the
administration of Windows systems. Applying these settings
to a home system may break legacy applications that are not
Windows 2000 compliant.
|
6.
|
Will
legacy applications be broken? |
|
Some legacy applications that are not Windows 2000 compliant
may not function properly and may require additional testing
and experimentation. Perform a full system backup before applying
the recommendations.
|
7.
|
Should
I test this before applying it in my environment? |
|
Yes. Test the recommended settings on a carefully selected
test machine before being applied to operational systems.
|
8.
|
What
about power users? |
|
Power users group is an insecure group designed to provide
backward compatibility for applications that are not certified
for Windows 2000 and to perform basic administrative tasks
in a Windows 2000 Professional workgroup environment.
|
9.
|
Are
you going to keep this up to date? |
|
Yes. The Appendix B and security templates will be updated
to reflect the most current consensus settings.
|
10.
|
How
does the NIST template relate to the template developed by CIS? |
|
The NIST templates represent the consensus settings found
in the CIS template except that we add settings that will
allow a user to operate Netscape Communicator 4.7x in a user
context. In addition, the NISTWin2kProGoldPlus.inf template
includes restrictions on various executables to provide added
protection for sites that require it.
|
11.
|
Should
I use the CIS tools? |
|
The CIS tool can be used to verify how well a system matches
the recommended baseline security for Windows 2000 Professional.
Refer to the Appendix C - Tools for a list of other tools,
i.e. hfnetchk, MBSA, etc.
|
12.
|
Should
I make changes to the baseline settings? |
|
It is inevitable and appropriate that some local changes
will need to be made to the baseline and the associated settings
given the wide variation in operational and technical considerations
that go into operating any major enterprise. With hundreds
of settings and the myriad of applications used and supported
by the Win 2000 Professional system and the variety of missions
and business functions supported, this should be expected.
Of course, use caution and good judgment in making changes
to the security settings.
|
13.
|
Is
NIST endorsing or mandating the use of the Win 2000 Professional
System or requiring each setting be applied as stated? |
|
No. NIST does not endorse the use of any particular product
or system. NIST is not mandating the use of the Win 2000 Professional
System nor is NIST establishing conditions or prerequisites
for Federal agency procurement or deployment of any system.
As stated above, NIST is not requiring agencies to select
specific settings or options recommended in the publication.
NIST is not precluding any Federal agency from procuring or
deploying other computer hardware or software systems for
which NIST has not developed a publication or a security checklist.
|
|
E-mail
Notification of Updates
|
If you would
like to be notified of updates to the Systems Administration Guidance
for Windows 2000 Professional publication, please send an
e-mail message to itsec@nist.gov
requesting to be on the notification list.
|
|