of the Guidance for Securing Microsoft Windows XP Home Edition:
A NIST Security Configuration Checklist - Special Publication 800-69
NIST is pleased to announce
the release of Special Publication 800-69, Guidance for Securing
Microsoft Windows XP Home Edition: A NIST Security Configuration
Checklist. SP 800-69 provides guidance to home users, such as telecommuting
Federal employees, on improving the security of their home computers
that run Windows XP Home Edition. Home computers face many threats
from people wanting to cause mischief and disruption, commit fraud,
and perform identity theft. The publication explains the need to
use a combination of security protections, such as antivirus software,
antispyware software, a personal firewall, limited user accounts,
and automatic software updates, to secure a computer against threats
and maintain its security. It also emphasizes the importance of
performing regular backups to ensure that user data is available
after an adverse event such as an attack against the computer, a
hardware failure, or human error. The publication contains detailed
step-by-step directions for securing Windows XP Home Edition computers
that can be performed by experienced Windows XP Home Edition users.
and questions may be addressed to to email@example.com.
Asked Questions - FAQ
did NIST develop this publication?
It is a complicated and time-consuming task for home users
and even experienced system administrators to know what a
reasonable set of security settings is for a complex operating
system such as Windows XP Home Edition. NIST sought to make
this task simpler, easier, and more secure by developing this
publication. NIST maintains that the settings make a substantial
improvement in the security posture of Windows XP Home Edition
does the SP 800-69 relate to the NIST Security Configuration
Checklist For IT Products program?
The guide represents a typical security configuration checklist
that is included in the NIST program's checklist repository.
It is consistent with the criteria outlined in the Special
Publication 800-70, The NIST Security Configuration Checklist
for IT Products Program. It was produced using the guidelines
and security principles referenced in SP 800-70.
was the publication developed?
The publication was developed by NIST. It is partially based
on SP 800-68, Guidance for Securing Microsoft Windows XP Systems
for IT Professionals, which in turn is based on excellent
material developed by the National Security Agency (NSA),
DISA (Defense Information Systems Agency), U.S. Air Force
(USAF), Microsoft, and other members of the security community.
is the intended audience?
The intended audience is Windows XP Home Edition users and
IT professionals, particularly Windows XP system administrators
and information security personnel who are responsible for
securing Windows XP Home Edition computers used by telecommuters.
a Windows XP Professional, Windows 95, Windows 98, Windows NT,
Windows Millennium Edition, or Windows 2000 computer. Should
I apply the recommendations in the publication to my computer?
No. These recommendations may break your system. The recommendations
should be applied only to Windows XP Home Edition computers.
I perform a full backup before applying the recommendations?
Yes. perform a full system backup before applying the recommendations.
Although the recommendations have been tested, it is likely
that the recommendations may cause conflict between settings
and particular applications.
going to keep this up-to-date?
Yes. It will be updated periodically as needed to reflect
the most current recommended settings.
Should I make changes to the recommended settings?
Given the wide variation in operational and technical considerations,
some local changes might need to be made to the settings (with
the number of settings, a myriad of applications, and the
variety of business functions supported by Windows XP systems,
this should be expected). Of course, use caution and good
judgment in making changes to the security settings. Always
test the settings, document the implemented settings, and
perform a full system backup before applying the settings.
Are there other protective measures that should be taken
besides applying the recommended settings?
Yes. In addition to changing Windows XP Home Edition settings
to strengthen the operating system's security, protective
measures such as antimalware software and file encryption
software may also need to be added to reduce the likelihood
of compromises of the computers and any sensitive data they
may contain. Users of Windows XP Home Edition computers should
also safeguard their physical security, such as keeping laptops
in a secure location when unattended. Federal agencies should
also ensure that Windows XP Home Edition computers used as
devices or for remote access comply with the additional protective
measures described in Office of Management and Budget (OMB)
Memorandum M-06-16, Protection of Sensitive Agency Information,
which is available at http://www.whitehouse.gov/omb/memoranda/.
NIST endorsing or mandating the use of the Windows XP Systems
or requiring each setting be applied as stated?
No. NIST does not endorse the use of any particular product
or system. NIST is not mandating the use of the Windows XP
systems nor is NIST establishing conditions or prerequisites
for Federal agency procurement or deployment of any system.
NIST is not precluding any Federal agency from procuring or
deploying other computer hardware or software systems for
which NIST has not developed a publication or a security configuration
For agencies that want to deploy Windows XP computers for
their telecommuters, NIST recommends the use of Windows XP
Professional over Windows XP Home Edition because of the management
features that Windows XP Professional offers. These features
allow agencies to control the configuration and patching of
Windows XP Professional computers more easily than Windows
XP Home Edition computers.
a federal employee and use my personal Windows XP Home Edition
system occasionally to process organizational information. How
do I protect sensitive information on my Windows XP Home Edition?
Windows XP Home Edition computers may need to protect the
confidentiality or integrity of Federal information in storage
(e.g., file encryption) or in transit (e.g., virtual private
networks [VPN], secure access to Web pages). Such computers
must use Federal Information Processing Standards (FIPS) approved
cryptographic algorithms specified in FIPS or in NIST Recommendations
and contained in validated cryptographic modules. The Cryptographic
Module Validation Program (CMVP) at NIST coordinates FIPS
testing. Users should install third-party products onto Windows
XP Home Edition computers to provide
file encryption capabilities. Windows XP Professional systems
Encrypting File System (EFS), a file encryption feature. However,
EFS can only encrypt files that are stored on the local Windows
XP Professional system. If there is a need to protect files
no matter where they are located, such as stored on CDs or
e-mailed to others, then third-party encryption software would
need to be used instead of EFS. Third-party encryption software
is also needed if the user wants to decrypt files that were
encrypted on another computer and provided to the user through
e-mail, removable media, or other means.
Notification of Updates
If you would
like to be notified of updates to the Special Publication 800-69,
send an e-mail message to firstname.lastname@example.org
with the words subscribe SP 800-69 in the subject line.