NIST SP800-43.pdf

Guidance for Securing Microsoft Windows 2000 Professional System to assist personnel responsible for the administration and security of Windows 2000 Professional (Win2K Pro) systems. This guide is intended for managed environments and should not be applied throughout an enterprise unless trained and competent systems administrators (SA) are available on the staff. Experienced SAs in these managed environments may use this guide to secure local Win2K Pro workstations, Win2K Pro mobile computers, and Win2K Pro computers used by telecommuters. NIST recommends that users who are directly applying this guide to secure their computers have significant competence in the administration of Windows systems. The guide provides detailed information about the security features of Win2K Pro, security configuration guidelines for popular applications, and security configuration guidelines for the Win2K Pro operating system. The guide documents the methods that SAs can use to implement each security setting recommended. The principal goal of the document is to recommend and explain tested, secure settings for Win2K Pro workstations with the objective of simplifying the administrative burden of improving the security of Win2K Pro systems. This guide includes security templates that will enable SAs to apply the security recommendations rapidly. The NIST Windows 2000 Professional Security Templates are text-based configuration files that specify values for security-relevant system settings. The security templates modify several key policy areas of a Windows 2000 Professional system. The policy areas include password policy, account lockout policy, auditing policy, user rights assignment, system security options, event log policy, system service settings, and file permissions. The NISTWin2kProGold.inf security template development was initially based in part on the National Security Agency’s (NSA) Win2K Pro guidance. We examined the NSA settings and guidance and built on the excellent material they developed. NIST conducted extensive analysis and testing of the NSA settings, substantially extended and refined the NSA template settings, and developed additional template settings. NIST developed detailed explanatory material for the template settings, Win2K Pro security configuration, and application specific security configuration guidance. Subsequently, NIST led the development of a consensus baseline of Win2K security settings in collaboration with the public and private sectors; most notably NSA, Defense Information Systems Agency (DISA), the Center for Internet Security (CIS), and the SysAdmin Audit Network Security Institute (SANS). Microsoft also provided valuable technical commentary and advice. The consensus settings are reflected in the NISTWin2kProGold.inf security template. The development of the NISTWin2kProGoldPlus.inf security template was driven by a need for added restrictions to create a more secure Win2K Pro workstation. The NISTWin2kProGoldPlus.inf security template contains all of the settings of the NISTWin2kProGold.inf security template, plus added restrictions on command line executables that could be used by attackers to gather network information or launch malicious files. Many of the restricted executables may be commonly used by users within an organization. Therefore, use caution when applying the security template and make modifications to the security template application restriction settings to conform to local policy before application. The NIST security templates can be rapidly applied to a Windows 2000 Professional operating system using the Security Configuration Tool Set or the command line tool Secedit. Every Win2K Pro system includes these configuration tools, which can be used to analyze, configure, export, and verify the security configuration of a Windows 2000 system. The Security Configuration Tool Set is a graphical user interface (GUI) based tool allowing SAs to centrally test and apply security policies for standalone and