CSRC System Administration

MS Windows

Other Resources
Our Sponsor


 

white space white space


Description of the Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist - Special Publication 800-69

NIST is pleased to announce the release of Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist. SP 800-69 provides guidance to home users, such as telecommuting Federal employees, on improving the security of their home computers that run Windows XP Home Edition. Home computers face many threats from people wanting to cause mischief and disruption, commit fraud, and perform identity theft. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security. It also emphasizes the importance of performing regular backups to ensure that user data is available after an adverse event such as an attack against the computer, a hardware failure, or human error. The publication contains detailed step-by-step directions for securing Windows XP Home Edition computers that can be performed by experienced Windows XP Home Edition users.

Comments and questions may be addressed to to itsec@nist.gov.


Frequently Asked Questions - FAQ
1. Why did NIST develop this publication?

It is a complicated and time-consuming task for home users and even experienced system administrators to know what a reasonable set of security settings is for a complex operating system such as Windows XP Home Edition. NIST sought to make this task simpler, easier, and more secure by developing this publication. NIST maintains that the settings make a substantial improvement in the security posture of Windows XP Home Edition computers.


2. How does the SP 800-69 relate to the NIST Security Configuration Checklist For IT Products program?

The guide represents a typical security configuration checklist that is included in the NIST program's checklist repository. It is consistent with the criteria outlined in the Special Publication 800-70, The NIST Security Configuration Checklist for IT Products Program. It was produced using the guidelines and security principles referenced in SP 800-70.


3. How was the publication developed?

The publication was developed by NIST. It is partially based on SP 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, which in turn is based on excellent material developed by the National Security Agency (NSA), DISA (Defense Information Systems Agency), U.S. Air Force (USAF), Microsoft, and other members of the security community.


4. Who is the intended audience?

The intended audience is Windows XP Home Edition users and IT professionals, particularly Windows XP system administrators and information security personnel who are responsible for securing Windows XP Home Edition computers used by telecommuters.


5. I have a Windows XP Professional, Windows 95, Windows 98, Windows NT, Windows Millennium Edition, or Windows 2000 computer. Should I apply the recommendations in the publication to my computer?

No. These recommendations may break your system. The recommendations should be applied only to Windows XP Home Edition computers.


6. Should I perform a full backup before applying the recommendations?

Yes. perform a full system backup before applying the recommendations. Although the recommendations have been tested, it is likely that the recommendations may cause conflict between settings and particular applications.


7. Is NIST going to keep this up-to-date?

Yes. It will be updated periodically as needed to reflect the most current recommended settings.


8. Should I make changes to the recommended settings?

Given the wide variation in operational and technical considerations, some local changes might need to be made to the settings (with the number of settings, a myriad of applications, and the variety of business functions supported by Windows XP systems, this should be expected). Of course, use caution and good judgment in making changes to the security settings. Always test the settings, document the implemented settings, and perform a full system backup before applying the settings.


9. Are there other protective measures that should be taken besides applying the recommended settings?

Yes. In addition to changing Windows XP Home Edition settings to strengthen the operating system's security, protective measures such as antimalware software and file encryption software may also need to be added to reduce the likelihood of compromises of the computers and any sensitive data they may contain. Users of Windows XP Home Edition computers should also safeguard their physical security, such as keeping laptops in a secure location when unattended. Federal agencies should also ensure that Windows XP Home Edition computers used as mobile
devices or for remote access comply with the additional protective measures described in Office of Management and Budget (OMB) Memorandum M-06-16, Protection of Sensitive Agency Information, which is available at http://www.whitehouse.gov/omb/memoranda/.


10. Is NIST endorsing or mandating the use of the Windows XP Systems or requiring each setting be applied as stated?

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows XP systems nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security configuration checklist.

For agencies that want to deploy Windows XP computers for their telecommuters, NIST recommends the use of Windows XP Professional over Windows XP Home Edition because of the management features that Windows XP Professional offers. These features allow agencies to control the configuration and patching of Windows XP Professional computers more easily than Windows XP Home Edition computers.


11. I am a federal employee and use my personal Windows XP Home Edition system occasionally to process organizational information. How do I protect sensitive information on my Windows XP Home Edition?

Windows XP Home Edition computers may need to protect the confidentiality or integrity of Federal information in storage (e.g., file encryption) or in transit (e.g., virtual private networks [VPN], secure access to Web pages). Such computers must use Federal Information Processing Standards (FIPS) approved cryptographic algorithms specified in FIPS or in NIST Recommendations and contained in validated cryptographic modules. The Cryptographic Module Validation Program (CMVP) at NIST coordinates FIPS testing. Users should install third-party products onto Windows XP Home Edition computers to provide
file encryption capabilities. Windows XP Professional systems include the
Encrypting File System (EFS), a file encryption feature. However, EFS can only encrypt files that are stored on the local Windows XP Professional system. If there is a need to protect files no matter where they are located, such as stored on CDs or e-mailed to others, then third-party encryption software would need to be used instead of EFS. Third-party encryption software is also needed if the user wants to decrypt files that were encrypted on another computer and provided to the user through e-mail, removable media, or other means.




E-mail Notification of Updates

If you would like to be notified of updates to the Special Publication 800-69, send an e-mail message to itsec@nist.gov with the words subscribe SP 800-69 in the subject line.

 

Disclaimer
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

Last updated: October 10, 2006
Page created: January10, 2001

Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to itsec@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration