NIST aims to ease XP security setup

Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist

Officials at the National Institute of Standards and Technology hope their new publication will help simplify the process of setting security controls on Microsoft Corp.'s Windows XP Professional operating system.

NIST officials, who released the draft of Special Publication 800-68 this week, said the recommendations and security configuration checklists will help federal agencies fulfill their responsibilities for computer and information security under the Federal Information Security Management Act of 2002.

The document's authors acknowledge the difficulty of setting reasonable security controls on an operating system as complex as Windows XP Pro. A publication that guides systems administrators and technical users through the process should help other federal agencies avoid time-consuming and costly mistakes, NIST officials said.

They worked with the Defense Information Systems Agency, the National Security Agency, Microsoft and the nonprofit Center for Internet Security to reach a consensus on security settings for Windows XP and for productivity applications, e-mail, Web browsers, personal firewalls and antivirus programs that run on XP.

Next month, NIST officials will release a separate publication on the agency's new Security Configuration Checklists Program. Under that program, NIST will operate a Web portal that enables users to search for software products by name, product type and security level. Federal officials will be able to make purchasing decisions, for example, based on whether a security configuration checklist exists for a particular product.

Software makers, businesses and government agencies are beginning to reach consensus on security controls that can be tolerated without breaking the programs that run on computers, said Clint Kreitner, president and chief executive officer of the Center for Internet Security. The center develops security configurations through a process based on consensus and testing.

On the basis of those consensus configurations, Kreitner said, companies such as Dell Inc. have begun shipping computers with a secure configuration of Windows 2000. In a few months, Dell will sell computers with a similar security configuration for Windows XP.

Microsoft also has shipped its Windows Server 2003 software with recommended security settings in place, Kreitner said. And the company is working with the configuration standards group to do the same with Exchange 2003, Microsoft's suite of collaboration software.