It is a complicated and time-consuming task for even experienced system administrators to know what a reasonable set of security settings are for a complex operating system such as Windows XP Professional. NIST sought to make this task simpler, easier, and more secure by developing this publication. NIST maintains, along with major segments of the security community who participated in reviewing and testing the publication's baseline settings, that the settings make a substantial improvement in the security posture of WinXP systems.

One of the requirements of the FISMA legislation is that Federal agency systems must be compliant with minimally acceptable system configuration requirements. By implementing the publication's recommendations, its security templates, and its other general prescriptive recommendations, organizations should be able to meet the baseline system configuration requirements for Windows XP systems. This is based upon the management, operational, and technical security controls described in the draft NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems.

The guide represents a typical security configuration checklist that is included in the NIST program's checklist repository. It is consistent with the criteria outlined in the Special Publication 800-70, The NIST Security Configuration Checklist for IT Products Program. It was produced using the guidelines and security principles referenced in SP 800-70.

The publication was developed by NIST; however, NIST started with excellent material developed by the National Security Agency (NSA), DISA (Defense Information Systems Agency), U.S. Airforce (USAF), Microsoft, and other members of the security community. NIST collaborated with NSA, DISA, the Center for Internet Security (CIS) and Microsoft to produce the publication's consensus baseline settings for various operational environments, in particular the Specialized Security-Limited Functionality templates.

The intended audience is Windows XP Systems Administrators and technical Windows XP Systems users. The document assumes that the reader has experience installing and administering Windows-based systems in domain or stand-alone configurations. The FDCC baseline was produced under the direction of OMB.

No. These recommendations and security templates may break your system. The templates should be applied only to Windows XP Professional SP2 systems.

Some legacy applications that are not Windows XP compliant may not function properly and may require additional testing and experimentation. Perform a full system backup before applying the recommendations.

Yes. Test the recommended settings on a carefully selected test machine first.

Power Users is an insecure group designed to (1) provide backward compatibility for applications that are not certified for Windows XP, and (2) perform basic administrative tasks in a Windows XP Systems workgroup environment. It is restricted from use by the publication's templates.

The Specialized Security-Limited Functionality template and the FDCC GPOs contain the more restrictive settings and will reduce the functionality and interoperability of the Windows XP system. They will reduce the usability of a typical system found in a multi-purpose managed environment and will break legacy or other general-purpose applications. They should only be used by the experienced security specialists and seasoned system administrators who understand the impact of implementing these strict requirements.

Yes. The NIST Windows Security Baseline Database, FDCC GPOs, and security templates will be updated to reflect the most current recommended settings.

Given the wide variation in operational and technical considerations for operating any major enterprise, it is appropriate that some local changes will need to be made to the baseline and the associated settings (with hundreds of settings, a myriad of applications, and the variety of business functions supported by Windows XP Systems, this should be expected). Of course, use caution and good judgment in making changes to the security settings. Always test the settings on a carefully selected test machine first and document the implemented settings.

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows XP Systems nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security configuration checklist.