NIST Issues Windows XP Security Guide
routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."
Step one: Isolate from network.
...install VMWare, run XP from inside the sandbox :D
Especially for those of us who have mixed LANs at home. This was the first I had heard of a way to disable 445, the replacement Netbios port (even if it's a convoluted way to do it).
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Does this get filed the same as "90% of all statistics are made up"?
Hmmm.
Easy broken down into 9 littler chapters for those MCSE's still out there.
And the answer is simple- hook it up to a Linux-based NAT router! If no server ports are exposed to the WAN, no worms can find the new box.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Only 147 pages of reading to secure your Windows XP?!? And they say Linux requires an in-depth knowledge of the OS...
There are some areas around the registry and memory dump settings that could be useful (how many actually send MS their abend dumps?), shutting remote access, and pointing out the usage and benefits of a firewall. When it comes to internet downloads/emails, though, the standard "Don't open unknown emails/attachments" still abounds. Rather lengthy - could do w/o the graphs and standard defs.
Hopefully SP2 will fix many of these problems.
Wow, changing all those settings really bumps up the Total Cost of Ownership (TCO) of Windows!
Windows XP *IS* Windows 3.11. We perceive the thought form at the root of each and merely hypostatize a different product because we believe in the illusion of time.
90% of all statistics are made up
Where did you hear that? I thought it was only 60%.
The shareholder is always right.
Yes, you and I have a clue and use something else for mail and web, but most home users are not savy enough to switch away from the vulnerable products, and worms and viruses will continue to spread through these channels for some time to come.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
The point is to download the Windoze updates *before* even running Outhouse or IE. And of course, following all the rest of the advice in the above document in setup, before doing ANYTHING on the web.
I'm also strongly of the opinion that home users that don't take precautions in this day and age deserve to have their boxen 0wn3d. And then have their ISP shut them down and isolate those boxen.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
You mean like Cisco's Linksys routers- which are linux based? Still, yes, certainly a hardware (Flash Rom) based solution helps quite a bit, and is less troublesome to set up.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Quick way to get the post-SP1 pre-SP2 updates:
AutoPatcher
This is a good thing if you need to reinstall Windows soon before SP2 comes out.
Even after SP2 comes out and it shrinks in size, the features it allows you to change are great.
I've only kept my XP box around for games, movies, and entertainment. If I have to do something that needs to be secure I either use mac osx or linux. I try to avoid the IE browser except when reading webcomics or news and I do online banking far away from IE but I'm not worried about that cause I'm pretty sure my money is still federally insured under a plan that I forgot its name. I like XP for games and that is about it so far besides movies. I just hope SP2 doesn't ruin compatibility to some of my old favorites like Fallout 2
I just briefly read thru that document. It is an excellent read. Lots of the things they mention are fairly well known, but to have it all grouped together in a comprehensive document is a real godsend. Reminds me A LOT of bastille linux .
There is a huge advantage to have predefined profiles you can apply. I imagine myself using these security profiles to harden family member's PCs. I usually have neither the time nor the inclination to lock down my mother's computer.... so having some defaults and a quick checklist will save me a TON of time in the long run.
It's also nice to be able to send someone a link and tell them "Do this stuff" rather than walk them thru all the things they need to do to be safe. As I am sure most Slashdot readers have experienced, the unending number of tech calls from friends and family gets old after a little while. I think this document will help restore the free time that Uncle Bill has taken from me.
You're in IT? Notify the upper-management about the best tools available then implement those tools. If you can't make a reasonable argument why Windows is a hazard than get another career and move over for someone that can. It is POSSIBLE.
IT departments are the problem and Windows will be the dominant OS for decades to come until more IT "men" grow some balls.
HA! Just ask the boss for money and he gives it to you? Thats rich. So, if windows allows an email client to arbitrarily execute code in an email, its the IT depts fault? If Windows IIS allows you to run code by simply sending a malformed URL, its the IT depts fault? So, the solution is buy yet more software, that will not know about these exploits until they are exposed anyway, so is useless for unknown (but will be discovered) vulnerabilities?
And MS is the good guy and the IT guys are the bad guys, because all they have to do is go spend a bunch of money to secure an operating system they already paid alot of money for? And if the company is dependent on software that will only run on Windows for a year or two, its the IT depts fault if the boss won't change to Linux?
I gotta admit, I did enjoy the "grow some balls", coming from an AC. You sound more like a pissed off 20 year old who just finished a program at Devry and can't believe someone won't hire him for $80k.
Tequila: It's not just for breakfast anymore!
but I'm not supposed to download unknown zip files on my Windows machine.
There are already a lot of people who can do this. Well, without the first blank, that is.
I love C++
I had heard it as "A survey once showed that 50% of all statistics are wrong 90% of the time." :-D
Phibz
Step 3.....profit?
effectively securing Windows XP systems
That's the great thing about Slashdot -- timely reviews of only the very best science-fiction literature.
-- I could tell right away that she was impressed with my HUGE Slashdot Karma.
http://www.microsoft.com/security/protect/cd/order .asp
See? Wasn't that easy?
~hylas
Especially the one quoted in the article: "I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta."
Strike Three! You're OUT!
Glad to know that my taxpayer dollars not only go to subsidize their schooling and subsidize their certification programs but also to generate a nice neat HOWTO manual for them to do their jobs.
No wonder there's so many pencils stuck in the ceiling.
+++ATHZ 99:5:80
Speak truth to power.
Going along the lines of the earlier slashdot story0 6/12172 43&mode=thread&tid=146&tid=188&tid=192&tid=99)
(http://slashdot.org/article.pl?sid=04/07/
I wish my college prof threw out the books for class and asked us to use stuff like this, it has everything the books had in it, and it covers it so much better.
147. Search Google for "apache 2.0 win32?. Download. Install. Copy and paste custom stuff into httpd.conf. Restart Apache service.
148. GHOST MACHINE. Never have to reinstall again.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
Dunno. I've done just fine with a years old Linksys router. No AV, no anti-spyware software, and pretty much no configuration on the boxes themselves. Oh, and using Outlook and IE.
How have I gone literally YEARS without a virus, worm, or peice of spyware? Quite simple.
1. I don't steal other peoples work. This has two implications. I don't install file sharing software which is most always loaded with spyware. The other is that I don't download software of dubious origin.
2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now.
3. I limit the items that I do download to execute to those that are well known and from sites that I trust. I DO NOT go and download every screen saver I can find on the internet like a LOT of other idiots do. You'd be surprised at the amount of shit that creeps in through the installs of these whores.
4. When the little popup says that updates are availible I install them. That simple. For software that I use which is not included in the windows update I check the sites regularly (if they are software that is susceptable to this sort of thing).
No cost, save the router. All common sense and situational awareness when I surf. The people who have computers loaded with spyware lack this. And Linux/OSX/FreeBSD are NOT going to save them from themselves.
I'll have you know that I have lovely 'balls', so whenever you're done your MBA (the only thing I can attribute your cluelessness to), perhaps get a mitt and get in the game. You're obviously not seeing a broad enough spectrum of the business world.
Since NSA already has a guide for Securing WinXP...which part of the government is authoritative on recommendations?
u ID =scg10.3.1.1
Here is the link to the page for NSA's Windows XP security Guide (And others)
http://www.nsa.gov/snac/downloads_winxp.cfm?Men
2. I don't run executable content I get through email unless I know the source and am expecting the file. Outlook has not auto run scripts in years now. (...) The other is that I don't download software of dubious origin.
Last I checked, IE ran executable code automagically due to a buffer overflow late last year, not sure if there are any such bugs this year.
Anyway, I realize what you're trying to say but it is still a poor situation. It's like saying "Yeah, I drive a crappy and hazardous car with poor brakes, but I'm a good driver and drive defensively so I don't get into any accidents anyway."
And regardless of how obvious it may seem to you, it is not common sense. It's your computer knowledge. Don't confuse common sense with logic. It is logical to you because you know how a computer works. It is not logical to a person that doesn't know what's ihside that beige box, and has no idea what an OS is or does. And that really have no idea what is nor should be happening when they open a file.
People have no clue what makes up a "dubious" origin. Hell, RealPlayer counts as dubious in my book (once a villain, always a villain), while an OSS project who has no corporate backing, not knowing any of the coders, is usually less dubious. How do you know which are reputable companies? Knowledge, which implies that it is not common sense.
Kjella
Live today, because you never know what tomorrow brings
For any part that says "disable unused services", don't forget to check out XP Service Config Guide by Black Viper.
[o]_O