Slashdot Mirror
NIST Issues Windows XP Security Guide
routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."
...install VMWare, run XP from inside the sandbox :D
Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
There are some areas around the registry and memory dump settings that could be useful (how many actually send MS their abend dumps?), shutting remote access, and pointing out the usage and benefits of a firewall. When it comes to internet downloads/emails, though, the standard "Don't open unknown emails/attachments" still abounds. Rather lengthy - could do w/o the graphs and standard defs.
Actually, that is pretty important as theres is no Service Pack 2 XP Cd out. If you install on an open Internet connection, you can be infected before you download the updates. Even our work lan wasnt protected, soon as I plugged my laptop in for updates it was infected, and I had to clean it off. (Ya, ya, zone alarm....) I guess the default XP firewall turned on would at least be some protection.
I think its worth picking up a cheap network router or wireless router so you can have NAT firewall to filter your PC. 802.11b routers are on sale for 20 bux that have NAT built in. Pretty cheap, and then you can update your PC before it gets infected.
I have all service packs merged into my Win2k on CD, but WinXP only has the default SP1 without the updates for a year. So, the unplug or firewall your Internet connection is pretty important.
You mean like Cisco's Linksys routers- which are linux based? Still, yes, certainly a hardware (Flash Rom) based solution helps quite a bit, and is less troublesome to set up.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Quick way to get the post-SP1 pre-SP2 updates:
AutoPatcher
This is a good thing if you need to reinstall Windows soon before SP2 comes out.
Even after SP2 comes out and it shrinks in size, the features it allows you to change are great.
Well most people dont do this over and over again on each and every machine. That is we have GPOs (Group Policy Objects), scripting, and tons of third party apps. All those settings were done at my end once, and i update them at the release of every service pack. For security the amount of time i waste is barely nothing
http://www.microsoft.com/security/protect/cd/order .asp
See? Wasn't that easy?
~hylas
- Section 1 - Introduction (15-16)
- Section 2 - Windows XP Security Guide Development (17-32) about general networking guidelines and how this guide came to be
- Section 3 - Windows Security Components Overview (33-38) with summary notes on the last page (38), the rest was features and footprint
- Section 4 - Installation, Backup, and Patching (39-48) consists of advise on running Windows Update, using strong passwords, etc. Notes are again, on the last page.
- Section 5 - Overview of the Windows XP Security Policy Configuration and Templates (49-54) explains templates and how to use them.
- Section 6 - NIST Windows XP Template Settings Overview (55-66) which explains the templates provided.
- Section 7 - Additional Windows XP Configuration Guidance (67-90) is a ton of good content
- Section 8 - Application Specific Security Configuration Guidance (91-110)
- Section 9 - Putting it All Together (111-112)
- Appendix A-F contain resource information not needed to secure your machine but good information to have.
Steps to securing:Read the last page of Sections 3 and 4, if it's new to you - read the whole thing.
Apply templates using information from Sections 5 and 6 if you don't know how.
Read Section 7.
Section 8 is optional depending on what types of programs you use.
Required reading: 25 pages
Dunno. I've done just fine with a years old Linksys router. No AV, no anti-spyware software, and pretty much no configuration on the boxes themselves. Oh, and using Outlook and IE.
How have I gone literally YEARS without a virus, worm, or peice of spyware? Quite simple.
1. I don't steal other peoples work. This has two implications. I don't install file sharing software which is most always loaded with spyware. The other is that I don't download software of dubious origin.
2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now.
3. I limit the items that I do download to execute to those that are well known and from sites that I trust. I DO NOT go and download every screen saver I can find on the internet like a LOT of other idiots do. You'd be surprised at the amount of shit that creeps in through the installs of these whores.
4. When the little popup says that updates are availible I install them. That simple. For software that I use which is not included in the windows update I check the sites regularly (if they are software that is susceptable to this sort of thing).
No cost, save the router. All common sense and situational awareness when I surf. The people who have computers loaded with spyware lack this. And Linux/OSX/FreeBSD are NOT going to save them from themselves.
Think lineage of image here. If you're making a new image or install, it will still be easier to start from an image you made 9 months ago than to start from an XP cd. All the little desktop tweaks will be the way you like them and you'll only have 12 or so patches and 3 reboots rather than 47 or so and 7 reboots. Not only that, a good deal of your software won't have changed. You'll be saved some work there as well.
I finished new OS 9 images for some Macs I maintain (I know, I know but it has to be this way.) I didn't start from an OS 9.0 cd and patch it up to 9.2.2 + add a boatload of apps. I installed last year's image, made changes and then created a new image. I still saved a considerable amount of work and thumb twiddling watching progess bars.
Many of those have nothing in common. Please at least do some reading on this stuff.
Bastille was a script that tweaked things for you last time I checked. It does nothing you can't do by editing config files and using chmod if you know how.
ACLs are approximately a WinNT-like permission system for Linux.
selinux goes MUCH further, adding capabilities that didn't exist before, making it possible to precisely specify what a process is supposed to do and what not. While quite complicated, it allows doing nifty things.
PAM has an unique purpose - handling authentication. If you want your users to use a smartcard or a fingerprint reader, that's what you need.
ssh is an encrypted telnet (simplifying things a bit)
sasl is an encryption library, beecrypt is another.
kerberos is an authentication method - which has absolutely nothing to do with things like filesystem permissions.
So, where are those interactions you talk about? SeLinux with all its power has nothing to do with encryption and doesn't replace it. Different encryption libraries don't conflict with each other and in most cases users don't even need to deal with them. PAM could be said to be related to SeLinux a tiny bit, but they do very different things. SeLinux handles permissions, while PAM defines how users are authenticated to the OS. Kerberos is just a protocol.
Furthermore, just think of all the other duplicated access control mechanicms:
- /etc/hosts.allow
- /etc/hosts.deny
- /etc/hosts.equiv
-
~/.rhosts
- /etc/ftpaccess
- /etc/rsyncd.conf
Jeez, there are sure to be many more that I've overlooked. You can't wave your hands a pretend that this complexity doesn't exist. That solves nothing.For any part that says "disable unused services", don't forget to check out XP Service Config Guide by Black Viper.
[o]_O