|
|
|
|
 |
|
Windows
XP Professional Operating System Legacy, Enterprise,
and Specialized Security Benchmark Consensus Baseline
Security Settings
|
Name |
Windows
XP Professional Operating System Legacy, Enterprise,
and Specialized Security Benchmark Consensus
Baseline Security Settings |
|
Version |
Version
2.01 |
|
Status |
Final |
| Creation
Date |
2005-09-09 |
| Revision
Date |
2005-09-09 |
| Product
Category |
Operating
System |
| Vendor |
Microsoft |
| Product |
Windows XP Professional |
| Product
Version |
Windows XP Professional |
| Product
Role |
Desktop
client |
|
Checklist
Summary |
This document is a security benchmark for the Microsoft Windows XP Professional operating system for workstations. It reflects the content of the Consensus Baseline Security Settings document developed by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), The SANS Institute, and the staff and members of the Center for Internet Security (CIS). Section 1 of this guide is a summary checklist of the configuration settings that constitute a Windows XP Professional compliant computer system. Appendix A is a questionnaire that can be used to put the trade-offs into perspective for each of the settings involved. Section 2 of this guide is written to provide contextual descriptions of each requirement for this benchmark. It gives plain-text details of what the setting means, why it is restricted, and what the consequences of restricting that setting may be. It covers the same information as Section 1 in greater detail. |
| Known
Issues |
xxxx |
| Target
Audience |
xxxx |
| Target
Operational Environment |
Enterprise |
| Checklist
Installation Tools |
In a network environment, with a Windows 2000 or Windows 2003 Active Directory Domain, Group Policy can be used to apply nearly all the settings described herein. Administrators and users can also use the Local Security Policy editor of individual workstations to lock down their environment. A method involving the use of the Microsoft Security Configuration and Analysis Utility to automatically install the CIS-WinXP-Legacy-v1.x.x.inf, CIS-WinXP-Enterprise-Desktop-v1.x.x.inf, CIS-WinXP-Enterprise-Mobile-v1.x.x.inf, and CIS-WinXP-SpecSec-v1.x.x.inf templates, which include the security settings contained in this benchmark, is described in documentation that accompanies the CIS Windows scoring tool. |
| Rollback
Capability |
Not
Available. |
| Testing
Information |
Not
Available. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Refer
to Known Issues. |
| Disclaimer |
Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind. |
| Product
Support |
|
| Submitting
Organization/Authors |
The
Center for Internet Security (CIS) |
| Point
of Contact |
windows-feedback@cisecurity.org |
| Sponsor |
|
| Licensing |
Commercial
use license
EDUCAUSE Member license
US Federal, state and local government agency
license
|
| Checklist
Homepage |
http://www.cisecurity.org/ |
| Download
Package |
http://www.cisecurity.org/sub_form.html |
| Integrity |
sha1
(CIS_WindowsXP_Benchmark_v2.01.pdf) =
59fa39c6c3035c423c96bc7698734b7f25de9cab
sha256 (CIS_WindowsXP_Benchmark_v2.01.pdf) =
aa7317bbe58522259ccadb5ca2f09617ee4e972e
ce0ea6fe39652d800f0294be |
| Change
History |
Version 2.01: 2005-09-09
Version
1.3: 2004-10-20
Version 1.2.1: 2004-10-03
Version 1.2: 2004-09-03
Version 1.1.2: 2004-03-13
Version 1.0: 2003-11-06
|
| Dependency/Requirement |
|
| References |
The
Center for Internet Security - http://www.cisecurity.org/
The SANS Institute -
http://www.sans.org/
National Security Agency Security Recommendation
Guides -
http://nsa1.www.conxion.com/
Department of Defense recommendations -
http://iase.disa.mil/stigs/index.html
Microsoft Windows Security -
http://www.microsoft.com/security/
Windows XP Security Guide -
http://go.microsoft.com/fwlink/?LinkId=14839
Server 2003 Security Guide -
http://go.microsoft.com/fwlink/?LinkId=14845
Threats and Countermeasures Guide -
http://go.microsoft.com/fwlink/?LinkId=15159
Microsoft Directory Services Client for Windows
9x/Me -
http://www.microsoft.com/TechNet/
prodtechnol/ntwrkstn/downloads
/utils/dsclient.asp?frame=true
The CIS Scoring Tool that accompanies this document
uses the Microsoft Network Security Hotfix Checker
(HfNetChk), which is licensed to Microsoft by
Shavlik Technologies -
http://www.shavlik.com/
Windows NT Magazine article regarding editing
the Registry -
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/prodtechnol
/winntas/tips/winntmag/inreg.asp
NIST Windows 2000 Security Guidelines -
http://csrc.nist.gov/itsec/guidance_W2Kpro.html
|
| NIST
Identifier |
1055 |
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
