It is a complicated and time-consuming task for home users and even experienced system administrators to know what a reasonable set of security settings is for a complex operating system such as Windows XP Home Edition. NIST sought to make this task simpler, easier, and more secure by developing this publication. NIST maintains that the settings make a substantial improvement in the security posture of Windows XP Home Edition computers.

The guide represents a typical security configuration checklist that is included in the NIST program's checklist repository. It is consistent with the criteria outlined in the Special Publication 800-70, The NIST Security Configuration Checklist for IT Products Program. It was produced using the guidelines and security principles referenced in SP 800-70.

The publication was developed by NIST. It is partially based on SP 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, which in turn is based on excellent material developed by the National Security Agency (NSA), DISA (Defense Information Systems Agency), U.S. Air Force (USAF), Microsoft, and other members of the security community.

The intended audience is Windows XP Home Edition users and IT professionals, particularly Windows XP system administrators and information security personnel who are responsible for securing Windows XP Home Edition computers used by telecommuters.

No. These recommendations may break your system. The recommendations should be applied only to Windows XP Home Edition computers.

Yes. perform a full system backup before applying the recommendations. Although the recommendations have been tested, it is likely that the recommendations may cause conflict between settings and particular applications.

Yes. It will be updated periodically as needed to reflect the most current recommended settings.

Given the wide variation in operational and technical considerations, some local changes might need to be made to the settings (with the number of settings, a myriad of applications, and the variety of business functions supported by Windows XP systems, this should be expected). Of course, use caution and good judgment in making changes to the security settings. Always test the settings, document the implemented settings, and perform a full system backup before applying the settings.

Yes. In addition to changing Windows XP Home Edition settings to strengthen the operating system's security, protective measures such as antimalware software and file encryption software may also need to be added to reduce the likelihood of compromises of the computers and any sensitive data they may contain. Users of Windows XP Home Edition computers should also safeguard their physical security, such as keeping laptops in a secure location when unattended. Federal agencies should also ensure that Windows XP Home Edition computers used as mobile
devices or for remote access comply with the additional protective measures described in Office of Management and Budget (OMB) Memorandum M-06-16, Protection of Sensitive Agency Information, which is available at http://www.whitehouse.gov/omb/memoranda/.

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows XP systems nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security configuration checklist.

For agencies that want to deploy Windows XP computers for their telecommuters, NIST recommends the use of Windows XP Professional over Windows XP Home Edition because of the management features that Windows XP Professional offers. These features allow agencies to control the configuration and patching of Windows XP Professional computers more easily than Windows XP Home Edition computers.

Windows XP Home Edition computers may need to protect the confidentiality or integrity of Federal information in storage (e.g., file encryption) or in transit (e.g., virtual private networks [VPN], secure access to Web pages). Such computers must use Federal Information Processing Standards (FIPS) approved cryptographic algorithms specified in FIPS or in NIST Recommendations and contained in validated cryptographic modules. The Cryptographic Module Validation Program (CMVP) at NIST coordinates FIPS testing. Users should install third-party products onto Windows XP Home Edition computers to provide
file encryption capabilities. Windows XP Professional systems include the
Encrypting File System (EFS), a file encryption feature. However, EFS can only encrypt files that are stored on the local Windows XP Professional system. If there is a need to protect files no matter where they are located, such as stored on CDs or e-mailed to others, then third-party encryption software would need to be used instead of EFS. Third-party encryption software is also needed if the user wants to decrypt files that were encrypted on another computer and provided to the user through e-mail, removable media, or other means.