WIXLIB

Guidance for Securing Microsoft Windows XP Systems forITProfessionalsTable A-2. Account Lockout Policy SettingsA-2Table A-3. Audit Policy SettingsA-3Table A-4. User Rights Assignment SettingsA-3Table A-5. Security Options SettingsA-6Table A-6. Event Log Policy SettingsA-13Table A-7. Restricted Groups SettingsA-14Table A-8. System Services SettingsA-15Table A-9.A-18FilePermission SettingsTable B-1. Certification, Accreditation, and Security Assessments (CA) Family ControlsB-1Table B-2. Planning (PL) Family ControlsB-1Table B-3. Risk Assessment (RA) Family ControlsB-2Table B-4. System and Services Acquisition (SA) Family ControlsB-2Table B-5. Awareness and Training (AT) Family ControlsB-3Table B-6. Configuration Management (CM) Family ControlsB-3Table B-7. Contingency Planning (CP) Family ControlsB-4Table B-8. Incident ResponseB-4(IR)Family ControlsTable B-9. Maintenance (MA) Family ControlsB-4Table B-10. Media Protection (MP) Family ControlsB-5Table B-11.Personnel Security (PS) Family ControlsB-5Table B-1 2. Physical and Environmental Protection (PE) Family ControlsB-5Table B-1 3. System and InformationB-6Integrity (SI)Family ControlsTable B-1 4. Access Control (AC) Family ControlsB-7Table B-1 5. Audit and Accountability (AU) Family ControlsB-9Table B-1 6. Identification and AuthenticationB-9(lA)Family ControlsTable B-1 7. System and Communications Protection (SC) Family ControlsTable C-1Table D-1.Commonly Used TCP/IPB-10C-1PortsWindows XP ToolsD-1viii

Guidance for Securing Microsoft Windows XP Systems forExecutiveWhenITProfessionalsSummaryan IT security configuration checklist(e.g.,hardening or lockdown guide)isapplied to a systemincombination with trained system administrators and a sound and effective security program, a substantialreduction in vulnerability exposure can be achieved. Accordingly, the National Institute of Standards andTechnology (NIST) has produced Guidance for Securing Microsoft Windows XP Systems for ITA NIST Security Configuration Checklist to assist personnel responsible for theadministration and security of Windows XP systems. This guide contains information that can be used tosecure local Windows XP workstations, mobile computers, and telecommuter systems more effectively ina variety of environments, including small office, home office (SOHO) and managed enterpriseProfessionals:environments. The guidance should only be applied throughout an enterprise by trained and experiencedsystem administrators.document is applicable only to Windows XP Professional systems runningService Pack 2. Released in August 2004, Service Pack 2 contains many changes that may impactsecurity and system and application functionality; accordingly, it is considered a major upgrade toWindows XP. The recommendations in this guide should not be applied to systems running anythingother than Service Pack 2. Also, NIST will release a separate guidance document for securing WindowsXP Home systems running Service Pack 2.The guidance presentedin thisThis guide provides detailed information about the security ofWindows XP,security configurationguidelines for popular applications, and security configuration guidelines for theWindows XPoperatingsystem. The guide documents the methods that system administrators can use to implement each securitysettingrecommended. Thesettings forWindows XPprincipal goal of thedocumentistorecommend and explaintested, secureworkstations with the objective of simplifying the administrative burden ofimproving the security of WindowsXPtwo custom environments, specializedsystemsinfour types of environments:SOHO,enterprise,andsecurity-limited functionality and legacy.SOHO. SOHO, sometimes called Standalone, describes small, informal computer installationsthat are used for home or business purposes. SOHO encompasses a variety of small-scaleenvironments and devices, ranging from laptops, mobile devices, and home computers, totelecommuting systems located on broadband networks, to small businesses and small branchoffices of a company. Historically, SOHO environments are the least secured and most trusting.Generally, the individuals performing SOHO system administration are not knowledgeable aboutsecurity. This often results in environments that are less secure than they need to be because thefocus is generally on functionality and ease of use. Enterprise. Enterprise environments, sometimes referred to asManaged environments,arestructured in terms of hardware and software configurations and protect their systems fromon the Internet with firewalls and other network security devices. Enterprise environmentsgenerally have a group dedicated to supporting users and providing security. The combination ofstructure and skilled staff allows better security practices to be implemented during initial systemdeployment and in ongoing support and maintenance, and for a consistent security posture to bethreatsmaintained across the enterprise. ASpecialized Security-Limited Functionality.environmentis atspecialized security-limited functionalityhigh risk of attack or data exposure, and therefore security takes precedenceover usability. This environment encompasses computers that are usually limitedfunctionality to specific specialized purposes.(e.g.,They may contain highlyin theirconfidential informationpersonnel records, medical records, financial information) or perform vital organizationalfunctions (e.g., accounting, payroll processing). Typically, providing sufficiently strongES-1

Guidance for Securing Microsoft Windows XP Systems forITProfessionalsprotection for these systems involves a tradeoff between security and functionality based on thepremise that any more functionality thanis strictlynecessary provides more opportunity forexploitation. Thus, a significant reduction in system functionalityand a higherriskofapplications breaking with increased support cost usually occurs in this environment.Aspecialized security- limited functionality environment could be a subset of another environment.While someSOHO usersunderstandably might want to choose this environment due to concernfor being as secure as possible, this environmentadministering theirmostown systems dueisusually not advised for mostSOHOusersand administrative complexity. Inenvironment is also not suitable forto the severe tradeoffscases, the specialized security-limited functionalitywidespread enterprise usage. ALegacy.legacy environment contains older systems or applications that often use older, lesssecure communication mechanisms. Other machines operating in a legacy environmentmayless restrictive security settings so that they can communicate with legacy systems andapplications. Using legacy services increases the potential risk of security breaches, as doeslowering the security profile of other systems that need to interact with legacy systems. Legacyenvironments may exist within SOHO and enterprise environments, and in rare cases withinspecialized security-limited functionality environments as well.needThis guide includes security templates that will enable system administrators to apply the securityrecommendationsrapidly.The NIST WindowsXPSecurity Templates are text-based configuration filesthat specify values for security-relevant system settings.policy areas of aWindows XP system,Thesecurity templates modify several keyincluding password policy, account lockout policy, auditingpolicy, user rights assignment, system security options, event log policy, system service settings, and filepermissions. TheNISTtemplate for Specialized Security-Limited Functionality environments representsthe consensus settings from the Center for Internet Security (CIS), Defense Information SystemsAgency(DISA), Microsoft, NIST, the National Security Agency (NSA), and the United States Air Force (USAF).The other NIST templatesare based on Microsoft's templates and recommendations.By implementing the recommendations described throughout this publication, in addition to the NISTWindows XP security templates themselves and general prescriptive recommendations, organizationsshould be able to meet the baseline requirements for Windows XP systems. This is based upon themanagement, operational, and technical security controls described in NIST Special Publication (SP) 80053, Recommended Security Controls for Federal Information Systems.Although the guidance presented in this document has undergone considerable testing, every system andenvironment is unique, so system administrators should perform their own testing. The development ofthe NIST Windows XP Security Templates was driven by the need to create more secure Windows XPworkstation configurations. Because some settings in the templates may reduce the functionality orusability of the system, caution should be used when applying the baseline security templates. Specificsettings in the templates should be modified as needed (with due consideration of the securityimplications) so that the settings conform to local policies and support required system functionality.NIST strongly recommends that organizations fully test the templates on representative systems beforewidespread deployment. Some settings may inadvertently interfere with applications, particularly legacyapplications thatWindows XPmayrequire a less restrictive security profile.ways to deploy templates to systems. The Security Configuration andAnalysis Microsoft Management Console (MMC) snap-in can be used to apply a template to a localprovides multiplesystem, and to compare a template's settings to the existing settings on a system and identifydiscrepancies. In aWindows XP domain environment,theGroup Policy Editor can be usedto distributesecurity settings quickly from templates to computers in an Active Directory Organizational Unit (OU).ES-2

Guidance for Securing Microsoft Windows XP Systems forProfessionalsIT(GPMC) for managing Group Policy forand apply security templates to Windows systemsMicrosoft also offers the Group Policy Management ConsoleGPMCmultiple domains.can be used to import,throughout an enterprise, whichTheisideal for aedit,managed environment.security configuration guidance provided in thisinstallations.state toNIST recommendsNISTworkstations.alsorecommendsthat thebe performed on a secure network segment or off the organization's networksecurity configurationAfter theWindows XPon clean Windows XPsystems from a clean formattedtestedthat system administrators build theirbegin the process of securinginstallation processdocument wasisWindows XPcompleted,allpatches are applied, and strong passwords are set foroperating system (OS) has been installed and securely configured,regularly monitored and patchedwhen necessaryitalluntil theaccounts.should beto mitigate software vulnerabilities as dictatedby thepatch or software control and change policy and procedures. There are three main methods for updatingWindowssystems: service packs, hotfixes, and security rollups.before the service pack cutoff date.Windows systemspreviously released hotfixesor hotfix,itinservice pack,whichwere releasedHotfixes are released rapidly when a vulnerability or problem isprovides improvements and replacements todiscovered withinOSThe Windowscomponents, includesallhotfixes thator Microsoft applications. Security rollups contain severala single bundle.Once Microsoftshould be tested thoroughly and applied toallreleases a service pack, security rollup,systems within an organization as soon aspossible.This guidance document also includes recommendations for configuringTheWebapplication types include office productivity tools,and spyware detection and removalof applications to install on Windows XP, nor doesantivirus software,utilities.listitMany of thecommon Windowsapplications.browsers, e-mail clients, personal firewalls,Thislist isnot intended to be a completeimply NIST's endorsement of particularconfiguration recommendations for theWindowsapplications focus on deterringworms, Trojan horses, and other types of malware. The guide presents recommendations toprotect the Windows XP system from malware when the applications are being used.products.viruses,This document provides recommendations to assist organizationsmoreTheinmakingtheirWindows XP systemsand recommendations provide system administrators with the informationnecessary to modify the settings and to comply with local policy or special situations. The baselinerecommendations. and settings provide a high level of security for Windows XP Professional systemswhen used in conjunction with a sound and comprehensive local security policy and other relevantsecurity controls. The guidelines are also appropriate for managed environments that are configuring anddeploying laptops for mobile users and desktop computers for telecommuters.secure.settingsES-3

Guidance for Securing Microsoft Windows XP Systems forThis page has beenleftITProfessionalsblank intentionally.ES-4

Guidance for Securing Microsoft Windows XP Systems for1.Introduction1.1AuthorityThe NationalInstituteof Standards and Technology (NIST) developedstatutory responsibilities under the Federal Information furtherance ofinitsManagement Act (FISMA) of 2002,107-347.responsible for developing standards and guidelines, includingproviding adequate information security forallagency operations andminimumassets, butguidelines shall not apply to national security systems. This guidelineisrequirements, forsuch standards andconsistent with the requirementsof the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), "Securing AgencyInformation Systems," as analyzed in A-130, Appendix IV: Analysis of Key Sections. SupplementalinformationisprovidedinA-130, AppendixIII.This guideline has been prepared for use by Federal agencies.organizations on a voluntary basis andisItmay be used by nongovernmentalnot subject to copyright, though attributionisdesired.document should be taken to contradict standards and guidelines made mandatory andbinding on Federal agencies by the Secretary of Commerce under statutory authority, nor should theseguidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,Nothingin thisDirector of the1.2OMB,or any other Federal official.Purpose and ScopeThis publication seeks to assist IT professionalscomputers, andXPsecuringinWindows XPworkstations,XPmobilecomputers used by telecommuters within various environments. This guidance shouldonly be applied throughout an enterprise by trained and competent system administrators. Althoughsomeof the guidance presented in this document may be applicable to multiple versions of Windows XP, theguidance is specifically intended for Windows XP Professional systems running Service Pack 2.'The guide providesdetailed information about the security features ofWindows XP,securityconfiguration guidelines for popular applications, and security configuration guidelines for theXPWindowsoperating system. The guide documents the methods that IT professionals can use to implement eachsecurity settingrecommended. Theprincipal goal of theWindows XP workstations withsecurity of Windows XP systemsdocumentistorecommend andexplain tested,secure settings forthe objective of simplifying the administrative burdenof improving theinfour types of environments:specialized security-limited functionality, and legacy.SOHO,enterprise,The proposed controls are consistent with theNIST SP 800-53 publication. Thisminimumsecurity controls for an IT system as represented in theguide anditsassociated templates have been created in support of theNISTSecurity ConfigurationChecklists Program for IT Products. August 2004, Service Pack 2 (SP2) contains many changes that may impact security and system and applicationFor more information, see Microsoft's Windows XP SP2 Web site, which is located .msp\ NIST will release a separate guidance document for securingReleasedinfunctionality.Windows XP Home systems running SP2.For more information on the program, seeavailable at http://checklists.nist.gov/NIST SP800-70, Security Configuration Checklists Program for IT Products,.1-1

Guidance for Securing Microsoft Windows XP Systems forProfessionalsITAudience1.3This document has been created for IT professionals, particularly Windows XP system administrators andinformation security personnel. The document assumes that the reader has experience installing andadministering Windows-based systems in domain or standalone configurations. The document discussesinWindows XPtechnical detail varioussecurity registry and application settings.Document Structure1.4Throughoutmenuthis guide, filenames,items, and options are indicated through bold text (e.g.,Remember mypassword). The remainder of this documentfollowed by seven appendices. isorganized into eight major sections,Section 2 provides insight into the threats and security controls that are relevant for variousimplement, andtesthomeand describes the need to document,controls, as well as monitor and maintain systems on an ongoing basis.environments, such as a large enterprise or aoffice, Section 3 presents an overview of the security components offered by Section 4 provides guidance on installing, backing up, and patching Section 5 discusses security policy configuration and Section 6 provides an overview of the settingsin thehowNISTWindows XP.Windows XPsystems.security templates can best be used.security templates and explainshowthe settings can provide better security for systems. Section 7 discusses Sec

Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes.