NIST Issues Windows XP Security Guide

routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."

Re:50%

[mgoodman]

And unfortunately IE is integrated into Windows. Even if you use Mozilla, problems are still potentially exploitable, sadly.

Re:50%

[Mz6]

"Fifty percent of those problems are IE problems."

Does this get filed the same as "90% of all statistics are made up"?

Re:Step one

[Marxist+Hacker+42]

And the answer is simple- hook it up to a Linux-based NAT router! If no server ports are exposed to the WAN, no worms can find the new box.

Re:Page 1: For best security...

[xOleanderx]

Hopefully SP2 will fix many of these problems.

Re:Step one

[crimethinker]

You're only partly correct. If you put the windoze box behind a NAT, you won't get 0WN3D by all of the remote exploits, but that's only half of the solution. You're still vulnerable to virus-laden e-mails (especially if you use MS Outhouse) and malicious web pages (if you use IE).

Yes, you and I have a clue and use something else for mail and web, but most home users are not savy enough to switch away from the vulnerable products, and worms and viruses will continue to spread through these channels for some time to come.

-paul

Obvious?

[IGnatius+T+Foobar]

This is not a troll.

It should be patently obvious that if Windows XP requires that much effort to use securely, it means that the software itself is insecure by nature, and you probably shouldn't be using it.

As a famous computer once said: "The only winning move is not to play."

Re:Obvious?

[Anonvmous+Coward]

"It should be patently obvious that if Windows XP requires that much effort to use securely, it means that the software itself is insecure by nature, and you probably shouldn't be using it."

And Linux is better? It's not secure. You still have to install patches and updates and the like. You have to put the work in either way, might as well go with the OS that does the things you wanna do. In other words, us gamers are not swayed by your argument.

I only use xp for games lately

[Cyberhwk]

I've only kept my XP box around for games, movies, and entertainment. If I have to do something that needs to be secure I either use mac osx or linux. I try to avoid the IE browser except when reading webcomics or news and I do online banking far away from IE but I'm not worried about that cause I'm pretty sure my money is still federally insured under a plan that I forgot its name. I like XP for games and that is about it so far besides movies. I just hope SP2 doesn't ruin compatibility to some of my old favorites like Fallout 2

Reminds me of Bastille linux

[mentatchris]

I just briefly read thru that document. It is an excellent read. Lots of the things they mention are fairly well known, but to have it all grouped together in a comprehensive document is a real godsend. Reminds me A LOT of bastille linux .
There is a huge advantage to have predefined profiles you can apply. I imagine myself using these security profiles to harden family member's PCs. I usually have neither the time nor the inclination to lock down my mother's computer.... so having some defaults and a quick checklist will save me a TON of time in the long run.
It's also nice to be able to send someone a link and tell them "Do this stuff" rather than walk them thru all the things they need to do to be safe. As I am sure most Slashdot readers have experienced, the unending number of tech calls from friends and family gets old after a little while. I think this document will help restore the free time that Uncle Bill has taken from me.

Re:50%

[Pharmboy]

You're in IT? Notify the upper-management about the best tools available then implement those tools. If you can't make a reasonable argument why Windows is a hazard than get another career and move over for someone that can. It is POSSIBLE.

IT departments are the problem and Windows will be the dominant OS for decades to come until more IT "men" grow some balls.

HA! Just ask the boss for money and he gives it to you? Thats rich. So, if windows allows an email client to arbitrarily execute code in an email, its the IT depts fault? If Windows IIS allows you to run code by simply sending a malformed URL, its the IT depts fault? So, the solution is buy yet more software, that will not know about these exploits until they are exposed anyway, so is useless for unknown (but will be discovered) vulnerabilities?

And MS is the good guy and the IT guys are the bad guys, because all they have to do is go spend a bunch of money to secure an operating system they already paid alot of money for? And if the company is dependent on software that will only run on Windows for a year or two, its the IT depts fault if the boss won't change to Linux?

I gotta admit, I did enjoy the "grow some balls", coming from an AC. You sound more like a pissed off 20 year old who just finished a program at Devry and can't believe someone won't hire him for $80k.

Re:isolate

[eean]

At my .edu they decided that our firewall would protect us from Blaster. Didn't take them long to figure out how wrong they were.

Firewalls assume they're aren't malicious things happening on your side of it.

I'm being double charged

[maximilln]

Glad to know that my taxpayer dollars not only go to subsidize their schooling and subsidize their certification programs but also to generate a nice neat HOWTO manual for them to do their jobs.

No wonder there's so many pencils stuck in the ceiling.

How to install Windows XP in 5 hours or less

[spoonyfork]

From Mark Pilgrim's How to install Windows XP in 5 hours or less:

1. Back up entire d: drive to iMac upstairs. rsync rocks.
2. Find Windows XP install disc.
3. Reboot with Windows XP install disc.
4. Asked for product activation. Curse Microsoft.
5. Search my house in vain for my original, 100% legitimate, retail Windows XP box.
6. Reboot.
7. Search control panels in vain for a window, dialog, tab, or pane that displays my current product key.
8. Search Google for "windows xp get current product key".
9. Find a utility on a cracker web page in Russia that displays the current product key. This is one of the more lame utilities, since most of the good ones allow you to change it. I don't wish to change it; I actually have a perfectly good product key, I just don't know what it is.
10. Reboot with Windows XP install disc.
11. Reboot repeatedly as required.
12. Boot screen. Choose between "Windows XP Professional" and "Windows XP Professional". Brilliant. Pick one. The wrong one. Boot into fucked Windows XP install. Hard reboot. Pick the right one. Make mental note to hack boot.ini later.
13. "Welcome to Windows XP. You have no useful programs and no internet access. You have 30 days left for activation. Would you like to activate now?" Yes, I would, but I have no internet access.
14. Unnecessarily loud and cheerful startup noises. Make mental note to turn off all sounds later.
15. Search the "Network and Internet Connections" wizards in vain for some way to set up my Linksys wireless card. Having never done a clean install of XP (I previously upgraded from Windows 2000), and having been moderately impressed by the new wireless networking features in XP, I naively assumed this would "just work". Silly rabbit.
16. Search my house for my Linksys wireless card driver install disc. Find the install disc that came with the old card, that broke and was replaced by the new-and-improved version 3.0 card. Wonder if that will suffice.
17. Fight with the "Add New Hardware Wizard" trying to install the obviously inferior drivers off this disc.
18. Wonder where the "Device Manager" is hiding.
19. Find the "Device Manager". Right-click on the unknown device, "Linksys_Instant_Wireless_Card". Update driver. "Windows was unable to locate a driver for this device. Would you like to search on the internet?" Yes, I'd love to, but I can't, you moron. Install driver from specific location. Specify WIN2000 folder on old-and-inferior install disc.
20. "This driver is not digitally signed." OK.
21. "This driver may cause your computer to become unstable." OK.
22. "This driver may anally rape your mother while pouring sugar down your gas tank." OK.
23. Nothing. No connection, no internet access, no acknowledgment of any device whatsoever.
24. Reboot.
25. Doesn't work.
26. "Take a tour of Windows XP!" I am.
27. Reboot.
28. Doesn't work.
29. Dig out old wired PCMCIA card. Take computer upstairs. Plug directly into switch. cmd. ipconfig. We have an IP address. ping www.google.com. We have name resolution and internet access.
30. Fire up Internet Explorer. runonce.msn.com. No. www.linksys.com. Support. Downloads. WPC11. Windows XP. Linksys.com rocks.
31. Insert Linksys wireless card.
32. Back to Device Manager.
33. Uninstall old-and-inferior driver.
34. Update driver.
35. "This driver is not digitally signed." OK.
36. "This driver may cause your computer to become unstable." OK.
37. "This driver may…" OK.
38. cmd. ipconfig. We have internet access.
39. "Add your .NET Passport to Windows XP!" No.
40. Fire up Internet Explorer. www.msn.com. No. www.mozilla.org. Download Mozilla.
41. Realize I should create an "f8dy" user because it will make my life easier later.
42. Create "f8dy" as an administrator. Log out. Log in.
43. Install Mozilla. Yes, I would like to make you my default

Re:How to install Windows XP in 5 hours or less

[John+Whorfin]

Good God man, wouldn't finding a freaking Linux CD be easier?

Missing step 148.

[Tenebrious1]

147. Search Google for "apache 2.0 win32?. Download. Install. Copy and paste custom stuff into httpd.conf. Restart Apache service.

148. GHOST MACHINE. Never have to reinstall again.

Re:Missing step 148.

[Agilo]

Wrong, because by the time you've ghosted, and are installing another machine, oh, say, half a year later, it turns out there's 80 new patches available on Windows Update, and Apache has been cracked to shits, thus requiring updates, and, well, just about the same for a whole lot of programs.
Then once you have installed that, go ahead, ghost it again, but it's an viscious circle if you ask me.

This'll be really wortless if you ghost the image to a DVD/CD, waist of DVD/CD in my opinion.

Then again, I don't use Windows anymore.

Re:isolate

[eean]

Then the students bring their computers back from the summer.

Making a campus LAN not a dangerous one is impossible. You have to assume worms are going to get in.

Re:50%

Clearly you've never worked for an appreciably large global organization which has strict standards on hardware and software. "Upper management" is usually in a different city, if not a different country/continent, and rolling out such a deployment to 50000+ desktops is not cheap. Administration of said desktops is often decentralized, and it doesn't matter how much it'll save in the long run, companies are just trying to save funds in the short term in order to stay afloat.

I'll have you know that I have lovely 'balls', so whenever you're done your MBA (the only thing I can attribute your cluelessness to), perhaps get a mitt and get in the game. You're obviously not seeing a broad enough spectrum of the business world.

Re:isolate

[Scutter]

You misunderstand.

No, I understand perfectly, but protecting an internal network is not the firewall's job. The firewall's job is to act as a gatekeeper to traffic passing through it wherever it's placed in the network. What you are proposing is a fundamental change in network design, of which the firewall is only a very small part. VLAN's, proxy servers, etc. all play a part in securing an internal network. It doesn't make sense to place the blame for an insecure internal network at the feet of a single firewall (misconfigured or otherwise).

If someone brings in an insecure laptop and plugs it into a random port on your switch, you can hardly blame the firewall between your LAN and the internet if the laptop starts spewing Sasser around your network. That's where VLAN's, internal firewalls, and other security measures come into play.

Regardless, my response was in answer to your comment about firewalls not protecting internal networks, not the intricacies of switchport-level network security.

NSA's guide or NIST's?

[Danathar]

Since NSA already has a guide for Securing WinXP...which part of the government is authoritative on recommendations?

Here is the link to the page for NSA's Windows XP security Guide (And others)

http://www.nsa.gov/snac/downloads_winxp.cfm?Menu ID =scg10.3.1.1

Re:Obvious

[Kjella]

2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now. (...) The other is that I don't download software of dubious origin.

Last I checked, IE ran executable code automagically due to a buffer overflow late last year, not sure if there are any such bugs this year.

Anyway, I realize what you're trying to say but it is still a poor situation. It's like saying "Yeah, I drive a crappy and hazardous car with poor brakes, but I'm a good driver and drive defensively so I don't get into any accidents anyway."

And regardless of how obvious it may seem to you, it is not common sense. It's your computer knowledge. Don't confuse common sense with logic. It is logical to you because you know how a computer works. It is not logical to a person that doesn't know what's ihside that beige box, and has no idea what an OS is or does. And that really have no idea what is nor should be happening when they open a file.

People have no clue what makes up a "dubious" origin. Hell, RealPlayer counts as dubious in my book (once a villain, always a villain), while an OSS project who has no corporate backing, not knowing any of the coders, is usually less dubious. How do you know which are reputable companies? Knowledge, which implies that it is not common sense.

Kjella

Re:50%

No matter where you are on the totem pole, it has to start somewhere.

You must be new to the industry. While I share your sentiments completely, they're unfortunately fairly unrealistic.

Don't let your fingers get so sticky from the donuts that it gets hard to type,

Ah, the classic assumption that all IT folks are big sweaty nerds. Further verifying that you're new to the industry, or not a part of the industry at all. You don't seem to have been around long enough to a) be jaded or b) figure out how things REALLY work, and for that, I can't fault you. Your ideas on change are understandable, but the ease with which you think they can be carried out are off the mark.