NIST Issues Windows XP Security Guide

routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."

Re:isolate

not really...

step one is to get a competent admin that will install from a slipstreamed install CD. all of mine are slipstreamed with SP2 so all patches up ot now are included and the machine is not instantly owned on the corperate network. ANYONE installing XP or W2K from origional CD's is nuts. slipstream the patches. My W2K disks are up to the SP4 rev and have all hotfixes on the disk ready for the scripted install after first reboot. and the XP disks are ready to go as well..

Yes, it's a pain in the arse to have to do this cince MS refuses to issue updated install CD's every time they do major updates to their os... but it's all we got.

Re:Step one

[Marxist+Hacker+42]

The point is to download the Windoze updates *before* even running Outhouse or IE. And of course, following all the rest of the advice in the above document in setup, before doing ANYTHING on the web.

I'm also strongly of the opinion that home users that don't take precautions in this day and age deserve to have their boxen 0wn3d. And then have their ISP shut them down and isolate those boxen.

Re:Format, install Linux...

[cball2k]

valid

I actualy do this very thing with a client. I also have anoth client that runs 2-4 servers per case, using VM-Ware, but running on w2ksvr. All my clients use Sonicwall TZ series firewalls (and I firmly believe that all business should have a firewall if they use the internet)

Re:Reminds me of Bastille linux

The problem with Linux is all the non-orthogonal options, and trying to figure out how they interact. To wit,

• standard "chmod" permissions
• extended attribute "chattr" permissions
• bastille linux on top of the above
• access control lists
• Kerberos
• Pam
• selinux
• ssh
• beecrypt
• sasl
• a dozens more miscellaneous options and utilities.

I wish there would be a unified solution. There are various bits of overlap, and the permutations of the above lead to quite a bit of complexity. Of course, as far as I know XP is not one bit simpler.

Great document

[glass_window]

Going along the lines of the earlier slashdot story
(http://slashdot.org/article.pl?sid=04/07/0 6/12172 43&mode=thread&tid=146&tid=188&tid=192&tid=99)
I wish my college prof threw out the books for class and asked us to use stuff like this, it has everything the books had in it, and it covers it so much better.

Re:Looks very usefull at first glance

[Azghoul]

This is probably going to seem like flamebait, but I'm honestly curious: Does anyone else feel it's odd, at best, to have a government agency telling us all how to safely operate a private company's product?

Just seems weird to me, but I guess it happens in other industries as well...

Re:How to install Windows XP in 5 hours or less

And people are whining about compiling things in Gentoo? Heck, at least I don't have to sit around and wait while Gentoo compiles -- I just go off and do other things.

Man...I'm glad I don't use XP anymore. All of the above sounds very very painful.

Re:Looks very usefull at first glance

[Marxist+Hacker+42]

What, you expect the private company to actually be truthfull about the dangers of their product?

Seems normal to me, and a necessary function of government in a corporatist economy. Otherwise, Caveat Emptor is the only real law left.