NIST Issues Windows XP Security Guide
routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."
Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
There are some areas around the registry and memory dump settings that could be useful (how many actually send MS their abend dumps?), shutting remote access, and pointing out the usage and benefits of a firewall. When it comes to internet downloads/emails, though, the standard "Don't open unknown emails/attachments" still abounds. Rather lengthy - could do w/o the graphs and standard defs.
Actually, that is pretty important as theres is no Service Pack 2 XP Cd out. If you install on an open Internet connection, you can be infected before you download the updates. Even our work lan wasnt protected, soon as I plugged my laptop in for updates it was infected, and I had to clean it off. (Ya, ya, zone alarm....) I guess the default XP firewall turned on would at least be some protection.
I think its worth picking up a cheap network router or wireless router so you can have NAT firewall to filter your PC. 802.11b routers are on sale for 20 bux that have NAT built in. Pretty cheap, and then you can update your PC before it gets infected.
I have all service packs merged into my Win2k on CD, but WinXP only has the default SP1 without the updates for a year. So, the unplug or firewall your Internet connection is pretty important.
Quick way to get the post-SP1 pre-SP2 updates:
AutoPatcher
This is a good thing if you need to reinstall Windows soon before SP2 comes out.
Even after SP2 comes out and it shrinks in size, the features it allows you to change are great.
http://www.microsoft.com/security/protect/cd/order .asp
See? Wasn't that easy?
~hylas
Think lineage of image here. If you're making a new image or install, it will still be easier to start from an image you made 9 months ago than to start from an XP cd. All the little desktop tweaks will be the way you like them and you'll only have 12 or so patches and 3 reboots rather than 47 or so and 7 reboots. Not only that, a good deal of your software won't have changed. You'll be saved some work there as well.
I finished new OS 9 images for some Macs I maintain (I know, I know but it has to be this way.) I didn't start from an OS 9.0 cd and patch it up to 9.2.2 + add a boatload of apps. I installed last year's image, made changes and then created a new image. I still saved a considerable amount of work and thumb twiddling watching progess bars.
Many of those have nothing in common. Please at least do some reading on this stuff.
Bastille was a script that tweaked things for you last time I checked. It does nothing you can't do by editing config files and using chmod if you know how.
ACLs are approximately a WinNT-like permission system for Linux.
selinux goes MUCH further, adding capabilities that didn't exist before, making it possible to precisely specify what a process is supposed to do and what not. While quite complicated, it allows doing nifty things.
PAM has an unique purpose - handling authentication. If you want your users to use a smartcard or a fingerprint reader, that's what you need.
ssh is an encrypted telnet (simplifying things a bit)
sasl is an encryption library, beecrypt is another.
kerberos is an authentication method - which has absolutely nothing to do with things like filesystem permissions.
So, where are those interactions you talk about? SeLinux with all its power has nothing to do with encryption and doesn't replace it. Different encryption libraries don't conflict with each other and in most cases users don't even need to deal with them. PAM could be said to be related to SeLinux a tiny bit, but they do very different things. SeLinux handles permissions, while PAM defines how users are authenticated to the OS. Kerberos is just a protocol.