CSRC
System Administration |
|
MS
Windows
|
|
Other
Resources |
|
Our
Sponsor |
|
|
|
|
|
SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals
2008-10-10 |
SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals, has been published as final. It seeks to assist IT professionals in securing Windows XP Professional systems running Service Pack 2 or 3. The guide provides detailed information about the security features of Windows XP and security configuration guidelines. SP 800-68 Revision 1 updates the original version of SP 800-68, which was released in 2005.
|
NIST Windows Security Baseline Database (Beta)
2008-07-25 |
The NIST Windows Security Baseline Database is being released for public comment. The database contains information on security setting baselines for Microsoft Windows XP, Windows Vista, Internet Explorer 7 (IE7), and Windows Firewall that are specified in NIST security templates and in the Federal Desktop Core Configuration (FDCC) Major Version 1.0. The database allows interested parties to view security settings by baseline or by policy (e.g., FDCC), as well as to compare baselines to each other. The information in the database is intended to supplement Draft SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals.
|
Description
of the Guidance for Securing Microsoft Windows XP Systems for IT
Professionals: A NIST Security Configuration Checklist - Special
Publication 800-68
|
NIST Special Publication 800-68 has been created to assist
IT professionals, in particular Windows XP system administrators
and information security personnel, in effectively securing Windows
XP Professional SP2 systems. It discusses Windows XP and various
application security settings in technical detail. The guide provides
insight into the threats and security controls that are relevant
for various operational environments, such as for a large enterprise
or a home office. It describes the need to document, implement,
and test security controls, as well as to monitor and maintain systems
on an ongoing basis. It presents an overview of the security components
offered by Windows XP and provides guidance on installing, backing
up, and patching Windows XP systems. It discusses security policy
configuration, provides an overview of the settings in the accompanying
NIST security templates, and discusses how to apply additional security
settings that are not included in the NIST security templates. It
demonstrates securing popular office productivity applications,
Web browsers, e-mail clients, personal firewalls, antivirus software,
and spyware detection and removal utilities on Windows XP systems
to provide protection against viruses, worms, Trojan horses, and
other types of malicious code. This list is not intended to be a
complete list of applications to install on Windows XP system, nor
does it imply NIST's endorsement of particular commercial off-the-shelf
(COTS) products.
Comments and
questions may be addressed to itsec@nist.gov.
|
Frequently
Asked Questions - FAQ
|
1.
|
Why
did NIST develop this publication? |
|
It is a complicated and time-consuming task for even experienced
system administrators to know what a reasonable set of security
settings are for a complex operating system such as Windows
XP Professional. NIST sought to make this task simpler, easier,
and more secure by developing this publication. NIST maintains,
along with major segments of the security community who participated
in reviewing and testing the publication's baseline settings,
that the settings make a substantial improvement in the security
posture of WinXP systems.
|
2.
|
How
does the SP 800-68 relate to the Federal Information Security
Management Act (FISMA)? |
|
One of the requirements of the FISMA legislation is that
Federal agency systems must be compliant with minimally acceptable
system configuration requirements. By implementing the publication's
recommendations, its security templates, and its other general
prescriptive recommendations, organizations should be able
to meet the baseline system configuration requirements for
Windows XP systems. This is based upon the management, operational,
and technical security controls described in the draft NIST
Special Publication (SP) 800-53, Recommended Security Controls
for Federal Information Systems.
|
3.
|
How
does the SP 800-68 relate to the NIST Security Configuration
Checklist For IT Products program? |
|
The guide represents a typical security configuration checklist
that is included in the NIST program's checklist repository.
It is consistent with the criteria outlined in the Special
Publication 800-70, The NIST Security Configuration Checklist
for IT Products Program. It was produced using the guidelines
and security principles referenced in SP 800-70.
|
4.
|
How
were the publication and security templates developed? |
|
The publication was developed by NIST; however, NIST started
with excellent material developed by the National Security
Agency (NSA), DISA (Defense Information Systems Agency), U.S.
Airforce (USAF), Microsoft, and other members of the security
community. NIST collaborated with NSA, DISA, the Center for
Internet Security (CIS) and Microsoft to produce the publication's
consensus baseline settings for various operational environments,
in particular the Specialized Security-Limited Functionality
templates.
|
5.
|
Who
is the intended audience? |
|
The intended audience is Windows XP Systems Administrators
and technical Windows XP Systems users. The document assumes
that the reader has experience installing and administering
Windows-based systems in domain or stand-alone configurations. The FDCC baseline was produced under the direction of OMB.
|
6.
|
I have
a Windows XP Home Edition, Windows 95, Windows 98, Windows NT,
Windows 2000, Windows Server 2003, or Windows Server 2008. Should I apply these templates
to my machine? |
|
No. These recommendations and security templates may break
your system. The templates should be applied only to Windows
XP Professional SP2 systems.
|
7.
|
Will
non-WinXP compliant legacy applications be broken if I install
these templates? |
|
Some legacy applications that are not Windows XP compliant
may not function properly and may require additional testing
and experimentation. Perform a full system backup before applying
the recommendations.
|
8.
|
Should
I test this before applying it in my environment? |
|
Yes. Test the recommended settings on a carefully selected
test machine first.
|
9.
|
What
about power users? |
|
Power Users is an insecure group designed to (1) provide
backward compatibility for applications that are not certified
for Windows XP, and (2) perform basic administrative tasks
in a Windows XP Systems workgroup environment. It is restricted
from use by the publication's templates.
|
10.
|
What
is the impact caused by applying the Specialized Security-Limited
Functionality template and the FDCC GPOs? |
|
The Specialized Security-Limited Functionality template and the FDCC GPOs contain
the more restrictive settings and will reduce the functionality
and interoperability of the Windows XP system. They will reduce
the usability of a typical system found in a multi-purpose
managed environment and will break legacy or other general-purpose
applications. They should only be used by the experienced security
specialists and seasoned system administrators who understand
the impact of implementing these strict requirements.
|
11.
|
Is NIST
going to keep this up-to-date? |
|
Yes. The NIST Windows Security Baseline Database, FDCC GPOs, and security templates will be updated
to reflect the most current recommended settings.
|
12.
|
Should
I make changes to the baseline settings? |
|
Given the wide variation in operational and technical considerations
for operating any major enterprise, it is appropriate that
some local changes will need to be made to the baseline and
the associated settings (with hundreds of settings, a myriad
of applications, and the variety of business functions supported
by Windows XP Systems, this should be expected). Of course,
use caution and good judgment in making changes to the security
settings. Always test the settings on a carefully selected
test machine first and document the implemented settings.
|
13.
|
Is
NIST endorsing or mandating the use of the Windows XP Systems
or requiring each setting be applied as stated? |
|
No. NIST does not endorse the use of any particular product
or system. NIST is not mandating the use of the Windows XP
Systems nor is NIST establishing conditions or prerequisites
for Federal agency procurement or deployment of any system.
NIST is not precluding any Federal agency from procuring or
deploying other computer hardware or software systems for
which NIST has not developed a publication or a security configuration
checklist.
|
|
E-mail
Notification of Updates
|
If you would
like to be notified of updates to the Special Publication 800-68,
send an e-mail message to itsec@nist.gov
with the words subscribe SP 800-68 in the subject line.
|
|