|
Name |
Windows 2000 Professional Operating System Level 2 Benchmark Consensus Baseline Security Settings Version 2.2.1 |
|
Version |
Version
2.2.1 |
|
Status |
Final |
| Creation
Date |
2002-07-17 |
| Revision
Date |
2004-11-15 |
| Product
Category |
Operating
System |
| Vendor |
Microsoft |
| Product |
Windows 2000 Professional Operating System |
| Product
Version |
Windows
2000 Professional Operating System |
| Product
Role |
Desktop
operating system |
|
Checklist
Summary |
This document is a security benchmark for the Microsoft Windows 2000 Professional operating system for workstations. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS). Section 1 of this guide is a summary checklist of the configuration settings that constitute a Windows 2000 Professional compliant computer system. Appendix A is a questionnaire that can be used to put the trade-offs into perspective for each of the settings involved. Section 2 of this guide is written to provide contextual descriptions of each requirement for this benchmark. It gives plain-text details of what the setting means, why it is restricted, and what the consequences of restricting that setting may be. It covers the same information as Section 1 in greater detail. |
| Known
Issues |
This guide provides CIS Level-2 benchmarks, which provide prudent security beyond the minimum level. The settings should be applied only to Windows 2000 workstation and server operating systems. The guide contains some security configuration recommendations that affect operating system function, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to OS functions and software applications running in their particular environments. Appendix D contains a list of known problematic settings. |
| Target
Audience |
xxxx |
| Target
Operational Environment |
Enterprise |
| Checklist
Installation Tools |
In a network environment, with a Windows 2000 Active Directory Domain, Group Policy can be used to apply nearly all the settings described herein. Administrators and users can also use the Local Security Policy editor of individual servers and workstations to lock down their environment. A method involving the use of the Microsoft Security Configuration and Analysis Utility to automatically install the Win2kProGold_R1.2.inf template, which includes the security settings contained in this benchmark, is described in documentation that accompanies the CIS W2K scoring tool. |
| Rollback
Capability |
Not
Available. |
| Testing
Information |
Not
Available. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Refer
to Known Issues. |
| Disclaimer |
Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind. |
| Product
Support |
|
| Submitting
Organization/Authors |
The
Center for Internet Security (CIS) |
| Point
of Contact |
windows-feedback@cisecurity.org |
| Sponsor |
|
| Licensing |
Commercial
use license
EDUCAUSE Member license
US Federal, state and local government agency
license
|
| Checklist
Homepage |
http://www.cisecurity.org/ |
| Download
Package |
http://www.cisecurity.org/sub_form.html |
| Integrity |
sha1
(W2K-Pro-v2.2.1.pdf) =
942967407f1082e0612ede1ba0e35d0c3ac82b54
sha256 (W2K-Pro-v2.2.1.pdf) =
2f2a70f911d1bd7c8633315dc59483b1979f7898c
eb8257f90b04b54358b5a56 |
| Change
History |
Version
2.2.1: 2004-11-15
Version 2.2: 2004-10-05
Version 2.1.1: 2004-04-16
Version 2.1: 2004-04-02
Version 2.0.5: 2003-09-02
Version 2.0.4: 2003-08-13
Version 2.0.3: 2002-11-04
Version 2.0.2: 2002-10-25
Version 2.0.1: 2002-10-18
Version 2.0: 2002-10-04
Version 1.0: 2002-07-17
|
| Dependency/Requirement |
|
| References |
The
Center for Internet Security - http://www.cisecurity.org
The SANS Institute -
http://www.sans.org
National Security Agency Security Recommendation
Guides -
http://nsa1.www.conxion.com
Department of Defense recommendations -
http://iase.disa.mil/stigs/index.html
Microsoft Windows Security -
http://www.microsoft.com/security
Service Pack 2 Information -
http://www.microsoft.com/windows2000/
downloads/servicepacks/sp2/
Current Critical Hotfixes -
http://www.microsoft.com/windows2000/
downloads/critical/
Microsoft Directory Services Client for Windows
9x/Me -
http://www.microsoft.com/TechNet/prodtechnol/
ntwrkstn/downloads/utils/dsclient.asp?frame=true
The CIS Scoring Tool that accompanies this document
uses the Microsoft Network Security Hotfix Checker
(HfNetChk), which is licensed to Microsoft by
Shavlik Technologies -
http://www.shavlik.com/
Windows NT Magazine article regarding editing
the Registry -
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/prodtechnol/
winntas/tips/winnt mag/inreg.asp
NIST Windows 2000 Security Guidelines -
http://csrc.nist.gov/itsec/guidance_W2Kpro.html
|
| NIST
Identifier |
1052 |
