Special Publication 800-68 Revision 1 Sponsored by the Department of Homeland Security Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul M. Johnson NIST Special Publication 800-68 Guide to Securing Microsoft Windows XP Revision 1 Reports on Computer Systems Technology Systems for IT Professionals: A NIST Security Configuration Checklist Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul M. Johnson C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 October 2008 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Deputy Director GUIDE TO SECURING MICROSOFT WINDOWS XP SYSTEMS FOR IT PROFESSIONALS Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-68 Revision 1 Natl. Inst. Stand. Technol. Spec. Publ. 800-68 Rev. 1, 127 pages (Oct. 2008) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. ii GUIDE TO SECURING MICROSOFT WINDOWS XP SYSTEMS FOR IT PROFESSIONALS Acknowledgements The authors, Karen Scarfone and Murugiah Souppaya of the National Institute of Standards and Technology (NIST) and Paul M. Johnson of Booz Allen Hamilton, wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content, particularly Tim Grance and Blair Heiserman of NIST and Kurt Dillard. Acknowledgements, Original Version The authors, Murugiah Souppaya of the National Institute of Standards and Technology (NIST) and Karen Kent and Paul M. Johnson of Booz Allen Hamilton, wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. The authors would like to acknowledge Chris Enloe, Tim Grance, Arnold Johnson, Larry Keys, Kathy Ton-nu, and John Wack of NIST; Robert Chang, Anthony Harris, and Richard Park of Booz Allen Hamilton; and Kurt Dillard of Microsoft for their keen and insightful assistance throughout the development of the document. The authors would also like to express their thanks to the reviewers of the draft publication for their particularly valuable comments and suggestions, in particular Dean Farrington (Wells Fargo Bank), Nathan Look (Los Angeles Department of Water and Power), James McKeithen, W. Warren Pearce (Air Force Satellite Control Network), Peter Tracy (Belarc), the Department of Energy, the Internal Revenue Service, and the Social Security Administration. Additionally, the authors also thank the Department of Homeland Security (DHS), Defense Information Agency (DISA), the Center for Internet Security (CIS), the National Security Agency (NSA), the United States Air Force (USAF), Microsoft Corporation, and other individuals for their valuable contributions to the baseline security templates and continued hard work to improve security in this and other similar efforts. The National Institute of Standards and Technology would also like to express its appreciation and thanks to the Department of Homeland Security for its sponsorship and support of NIST SP 800-68. Trademark Information Microsoft, Windows, Windows Vista, Windows XP, Windows 2000, Windows NT, Internet Explorer, Microsoft Office, Outlook, Outlook Express, and Microsoft Word are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. iii GUIDE TO SECURING MICROSOFT WINDOWS XP SYSTEMS FOR IT PROFESSIONALS Table of Contents Executive Summary..............................................................................................................ES-1 1. Introduction ......................................................................................................................1-1 1.1 Authority...................................................................................................................1-1 1.2 Purpose and Scope .................................................................................................1-1 1.3 Audience ..................................................................................................................1-2 1.4 Document Structure .................................................................................................1-2 2. Windows XP Security Guide Development....................................................................2-1 2.1 Windows XP System Roles and Requirements .......................................................2-2 2.2 Security Categorization of Information and Information Systems ............................2-3 2.3 Baseline Security Controls and Threat Analysis Refinement...................................2-4 2.3.1 Local Threats................................................................................................2-5 2.3.2 Remote Threats............................................................................................2-7 2.4 Environments and Security Controls Documentation ............................................2-10 2.4.1 SOHO.........................................................................................................2-10 2.4.2 Enterprise ...................................................................................................2-11 2.4.3 Specialized Security-Limited Functionality (SSLF).....................................2-13 2.4.4 Legacy........................................................................................................2-14 2.4.5 FDCC..........................................................................................................2-14 2.4.6 Security Documentation .............................................................................2-14 2.5 Implementation and Testing of Security Controls ..................................................2-15 2.6 Monitoring and Maintenance..................................................................................2-15 2.7 Summary of Recommendations.............................................................................2-16 3. Windows XP Security Components Overview ..............................................................3-1 3.1 New Features in Windows XP .................................................................................3-1 3.1.1 Networking Features ....................................................................................3-1 3.1.2 Authentication and Authorization..................................................................3-2 3.1.3 Other.............................................................................................................3-4 3.2 Security Features Inherited from Windows 2000 .....................................................3-5 3.2.1 Kerberos .......................................................................................................3-5 3.2.2 Smart Card Support......................................................................................3-6 3.2.3 Internet Connection Sharing.........................................................................3-6 3.2.4 Internet Protocol Security .............................................................................3-6 3.2.5 Encrypting File System.................................................................................3-7 3.3 Summary of Recommendations...............................................................................3-7 4. Installation, Backup, and Patching.................................................................................4-1 4.1 Performing a New Installation ..................................................................................4-1 4.1.1 Partitioning Advice........................................................................................4-1 4.1.2 Installation Methods......................................................................................4-2 4.2 Backing Up Systems................................................................................................4-4 4.3 Updating Existing