NIST Issues Windows XP Security Guide
routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."
but FP just in case.
The GNAA is dealt a severe blow in Nigeria as five hundred 419 scammers are arrested.
Format, install Linux.
Fifty percent of those problems are IE problems.
Install something else besides XP!
ha ha!
stuff |
1) Wondering how to connect your new XP box to a network to get downloads, without being immediately hit by a worm? Submit an Ask Slashdot! The editors seemingly never tire of posting that one.
What I'm listening to now on Pandora...
Hey guys! I've got 2 gmail invites! the first couple of people who post (no AC) saying that SCO and Darl are right (convincingly...no sarcasim tags!) get the invites, I'll send it to any email address you'd like
Step one: Isolate from network.
...install VMWare, run XP from inside the sandbox :D
IT pros already know Windows XP has more gaping security holes than Windows 3.11! And less functionality, too!
Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
I don't think this is a coincidence.
I put my hand in my pocket
What do I feel?One hundred and ten stories
Of concrete and steel
Is there something wrong with me?
What do I need to do to find love?!
Help me!
Easy broken down into 9 littler chapters for those MCSE's still out there.
Only 147 pages of reading to secure your Windows XP?!? And they say Linux requires an in-depth knowledge of the OS...
There are some areas around the registry and memory dump settings that could be useful (how many actually send MS their abend dumps?), shutting remote access, and pointing out the usage and benefits of a firewall. When it comes to internet downloads/emails, though, the standard "Don't open unknown emails/attachments" still abounds. Rather lengthy - could do w/o the graphs and standard defs.
Hmmm, there is only one line in there: 1) INSTALL FREEBSD
Shut the fuck up.
That's all I ask of you. Post the fucking stories, and leave the comments to the community.
Your little "step-1:-reformat" quip would (well, should) be modded -1, Troll/Flamebait, but since you're a big bad editor you get to troll in the story itself.
Grow up man. I know that almost none of the editors/janitors care about what they do here anymore, but pretend. Look at simoniker as an example. Well put together articles, posts retractions/corrections when wrong, and responds to posters.
-Insert clever Windows bashing phrase here-
unbelievable
These freaks and "l337 haxorz" have nothing better to do than flame windows, when linux has had its own share of security problems
A manual for securing linux could be just as big
Wow, changing all those settings really bumps up the Total Cost of Ownership (TCO) of Windows!
Why do overlook the Weapons of Mass Destruction In Israel ?
Regards,
Kilgore Trout
Step two: FDISK!
Audioscrobbler
Quick way to get the post-SP1 pre-SP2 updates:
AutoPatcher
This is a good thing if you need to reinstall Windows soon before SP2 comes out.
Even after SP2 comes out and it shrinks in size, the features it allows you to change are great.
Forget about NAT and start running proxies for anything you need. Worms will keep working as long as they can get out. Proxies can help with not allowign the stupid stuff in and running all sorts of malware scanning but it's very important to stop the spread as well. NAT is good for things you cany proxy like games.
No sir I dont like it.
Did anybody else notice that it is still set as a Draft? I guess they arn't even sure they got everything.
This is not a troll.
It should be patently obvious that if Windows XP requires that much effort to use securely, it means that the software itself is insecure by nature, and you probably shouldn't be using it.
As a famous computer once said: "The only winning move is not to play."
Tired of FB/Google censorship? Visit UNCENSORED!
I've only kept my XP box around for games, movies, and entertainment. If I have to do something that needs to be secure I either use mac osx or linux. I try to avoid the IE browser except when reading webcomics or news and I do online banking far away from IE but I'm not worried about that cause I'm pretty sure my money is still federally insured under a plan that I forgot its name. I like XP for games and that is about it so far besides movies. I just hope SP2 doesn't ruin compatibility to some of my old favorites like Fallout 2
- "Microsoft ripped off/ruined XXXXXXX!"
- "Windows sUx0rZ! Use Linux instead."
- "Blah, blah, Bill Gates ate my balls, blah."
- "They must have used IE! LOL!"
- "Blahblah, William Henry Gates, blah, hexidecimal, blah 666, blah."
Amusing, all of them, but couldn't we just bundle all the posts that do nothing but bash MS with some over-used catchphrase into a scripted category? Automatically, every time a story regarding Microsoft or Bill Gates comes out, a script will automatically generate the above comments in a seperate thread, and if someone can think of an original bash to say, they can just add it to the list. With time and effort, the script will grow to a good....10 or 20 insults.-The Libra
"Please be patient--The future will begin momentarily."
I just briefly read thru that document. It is an excellent read. Lots of the things they mention are fairly well known, but to have it all grouped together in a comprehensive document is a real godsend. Reminds me A LOT of bastille linux .
There is a huge advantage to have predefined profiles you can apply. I imagine myself using these security profiles to harden family member's PCs. I usually have neither the time nor the inclination to lock down my mother's computer.... so having some defaults and a quick checklist will save me a TON of time in the long run.
It's also nice to be able to send someone a link and tell them "Do this stuff" rather than walk them thru all the things they need to do to be safe. As I am sure most Slashdot readers have experienced, the unending number of tech calls from friends and family gets old after a little while. I think this document will help restore the free time that Uncle Bill has taken from me.
Don't download zips from the internet and open them on your winxp machine.
Whatever man, I spelled it write!
The bold print was an accident of not closing my tags, not an attempt to get my post more attention or to be a troll.
-The Libra
"Please be patient--The future will begin momentarily."
but I'm not supposed to download unknown zip files on my Windows machine.
There are already a lot of people who can do this. Well, without the first blank, that is.
I love C++
Load Linux. :)
This is not the sig line you are looking for... -- Old Jedi Sig Line Trick
Doesn't it seem wrong that this came from NIST and not Microsoft?
Great free tool to deploy security updates if you complement it with a few VBScripts to check the status of the GPO and to force deployement...
Too bad version 2 which will support Office, IIS and SQL patches keeps getting delayed..
effectively securing Windows XP systems
That's the great thing about Slashdot -- timely reviews of only the very best science-fiction literature.
-- I could tell right away that she was impressed with my HUGE Slashdot Karma.
(right?...)
http://www.microsoft.com/security/protect/cd/order .asp
See? Wasn't that easy?
~hylas
Glad to know that my taxpayer dollars not only go to subsidize their schooling and subsidize their certification programs but also to generate a nice neat HOWTO manual for them to do their jobs.
No wonder there's so many pencils stuck in the ceiling.
+++ATHZ 99:5:80
Speak truth to power.
Yes, I've been thinking of this.
You use windows, you have to buy windows, install anti-virus software, firewall software, anti-spyware software (the free versions require repeated updating and could dissapear arbitrarily at any time), configure alot of stuff, and you STILL don't get complete control over your box.
But somehow people put up with this, and somehow (at least according to MS) Windows has a lower TCO.
... before it's too old for the front page. Probably a good idea to read before heading straight to the zip file.
guidance_WinXP.html
Longhorn is going to be released before SP2 is release..which is supposed to clean up a lot of these loose ends.
Going along the lines of the earlier slashdot story0 6/12172 43&mode=thread&tid=146&tid=188&tid=192&tid=99)
(http://slashdot.org/article.pl?sid=04/07/
I wish my college prof threw out the books for class and asked us to use stuff like this, it has everything the books had in it, and it covers it so much better.
step two...
C:\>FORMAT C:
...speaking of - short joke: A baby seal walks into a club.
Ba-dam tisch....curtain
Quidquid latine dictum sit, altum sonatur.
147. Search Google for "apache 2.0 win32?. Download. Install. Copy and paste custom stuff into httpd.conf. Restart Apache service.
148. GHOST MACHINE. Never have to reinstall again.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
I happen to work at NIST and I'm on the Gaithersburg, MD campus right now. Perhaps reading this article can be considering reading slashdot and working at the same time?
Cyde Weys Musings - Scrutinizing the inscrutable
Did anyone actually read the documented guide, even for a little bit? :\
I tell you, if a sysadmin should resort to that, he must REALLY suck, because all of what is explained in there is so f*cking obvious.
I mean, c'mon.
- Agilo
...like cleaning out the Aegean Stables with a whisk broom?
and I thought the gentoo handbook was a long read.
that is pretty important as theres is no Service Pack 2 XP Cd out
That's because there's no SP2 out. If you like running Betas though, I've got this copy of Win98...
You've at least got the CHOICE of whether or not to use KDE. I personally use GNOME, but that's only because I'm using Fedora, because I'm too lazy to install Debian at work...or rather I've got better things to do. Erm, where was I?
Oh right, also, KDE is open source, so you could potentially disable konqueror if you *really* wanted to, so it seems that your point is invalid...
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
Since NSA already has a guide for Securing WinXP...which part of the government is authoritative on recommendations?
u ID =scg10.3.1.1
Here is the link to the page for NSA's Windows XP security Guide (And others)
http://www.nsa.gov/snac/downloads_winxp.cfm?Men
Mom's ordering a new computer today. And I expect she won't have much trouble with it.
She's actually been very happy with her old computer, but the video went out a couple days ago, and she decided it was time to get a new computer rather than having the old one repaired, something I urged her to do because most of today's software won't run on the machine I gave her and dad for Christmas in 1995.
She was still running netscape 4.5. I avoided using CSS for the longest time for the sole reason that it wouldn't render well on Mom & Dad's machine.
(Dad passed away, I'm very sorry to say, about a year ago.)
Mom's old machine? A Mac 6130. I forget if it was a powermac or performa. It had a 66 Mhz PowerPC 601. Remember - Mom was perfectly happy with her old Mac until it lost video. It might even be easy to repair, but we're a continent apart so I can't look at it myself.
Her new machine? A 17 inch iMac, with 256 MB of RAM, 80 GB hard drive, 1.2 GHz PowerPC CPU. I think the iMacs all use G4s now.
No worms or viruses for her.
I recommended purchasing AppleCare. It will take her some time to get used to Mac OS X. I think her iMac could boot into Mac OS 9, but I'm not going to tell her how. I'm going to suggest she take a class to learn about Mac OS X.
All her old software will still run, just under the Classic mode within OS X.
Do you do tech support for your Mom? Get her an iMac, and get ready to stop cursing at Windows.
Aunt Peggy, Mom's twin sister, got an iBook about a year ago, again on my recommendation.
Request your free CD of my piano music.
From that site:
The Microsoft Windows Security Update CD includes Microsoft critical updates released through October 2003 and information to help you protect your PC. In addition, you will also receive free antivirus and firewall trial software!
Pilgrim bitches too much.
It's his fault that he can't keep track of his product key. Windows isn't the only product -- software or otherwise -- that wants a serial number before it works.
It's his fault that he wasn't clueful enough to add SP1 and the usual horde of updates before he started mucking about. (Not that anyone installing a 4-year old version of any Linux distribution wouldn't also need to install a horde of security updates.)
And, it's his fault for trying to use old drivers to get his net connection working.
-- Slashdot: When Public Access TV Says "No"
It's called FDIC insurance and doesn't cover losses as a result of hacking. It was created to ensure that if "the bank" goes belly-up, you'll still get your money.
Hacking liability is up to your individual bank and you might want to check up on what they will reimburse you.
in effectively securing Windows XP systems
Anyone else first read this as "ineffectively securing..." ?
Don't forget to read the EULA. In it you'll find out you aren't allowed to install an IMAP server, SMTP server, or apache server for non-local connections. It's right there on page 1.
Developers: We can use your help.
Grandparent is an obvious troll, spreading FUD.
I am posting here in order to cancel my moderation - I accidentally modded parent post the way I meant to mod grandparent (yes I know, I am an idiot sometimes)
Looks like those NIST folks forgot all about the DISA STIGs
After all that, I'd:
1. defrag the disk
2. download the pagefile defragger from Sysinternals, and
3. defrag the pagefile and system files.
Competition Good, Monopoly Bad.
For any part that says "disable unused services", don't forget to check out XP Service Config Guide by Black Viper.
[o]_O
Info here.
Got time? Spend some of it coding or testing
I don't understand 'IT professionals' in the same sentance as 'Windows XP' really. If you are that stupid to maintain something that constantly breaks down./.. oh well
There are still some people around who are stupid enough to use a Window$ operating system?! I thought all those idiots were gone by now. Don't they keep up with the news?
Aren't government agencies usually the worst offenders as far as network security is concerned? Aren't they usually given D and F ratings by the Office of Management and Budget (OMB) year after year? Yet here is a government agency cranking out advice on securing Win XP. It makes more sense to get rid of the offending OS if it really is that bad rather than trying to fix the unfixable. I can't beleive all the time and money that is spent on firewalls, antivirus software and patching on what shouldn't be a major problem in the first place. I don't understand why Microsoft Software is so popular if it really is this crappy. Even if it came "free" with the computer (I can assure you it didn't), MS would still be charging too much for such a low quality POS by any other standard. By all rights, all MS OSes should have some sort of warning during installation that says that the OS was designed for easy installation of viruses, worms, trojans, and malware that you should retract your hard drive for safety.
Yeah, sure, I can talk smart; I don't use MS products so what do I know.
My mom still uses a Calender Creator made in 1987 for DOS 3 or 5. I'm not sure which. She's managed to carry it all the way over to her Windows 2000 Professional machine. She uses Windows 2000 because that's what they use at her workplace.
The computer decisions of my aunt & uncle and my grandparents were heavily influenced based upon what my mom used... Windows.
Actually, it was more of a rolldown effect. My aunt saw what my mom could do with her IBM Compatible PC and bought one in the 90s. Last year, when my aunt bought her new Windows PC, Grandmother saw what my aunt could do with it and bought one similar to it.
Which also means that I had no influence whatsoever in what they bought... Oddly enough, they don't call me for tech support very often. I suppose that's because they still haven't caught the Internet bug... they're content with using an email only service.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
the autopatcher self-expanding exe is a 7-zip exe. according to the 7-zip home page (http://www.7-zip.org/) it's possible to get it working under wine (though i've never figured out how to get it working this way).