NIST aims to ease XP security setup

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2004/0628/web-nist-06-29-04.asp

By Florence Olsen 
June 29, 2004 

Officials at the National Institute of Standards and Technology hope
their new publication will help simplify the process of setting
security controls on Microsoft Corp.'s Windows XP Professional
operating system.

NIST officials, who released the draft of Special Publication 800-68
this week, said the recommendations and security configuration
checklists will help federal agencies fulfill their responsibilities
for computer and information security under the Federal Information
Security Management Act of 2002.

The document's authors acknowledge the difficulty of setting
reasonable security controls on an operating system as complex as
Windows XP Pro. A publication that guides systems administrators and
technical users through the process should help other federal agencies
avoid time-consuming and costly mistakes, NIST officials said.

They worked with the Defense Information Systems Agency, the National
Security Agency, Microsoft and the nonprofit Center for Internet
Security to reach a consensus on security settings for Windows XP and
for productivity applications, e-mail, Web browsers, personal
firewalls and antivirus programs that run on XP.

Next month, NIST officials will release a separate publication on the
agency's new Security Configuration Checklists Program. Under that
program, NIST will operate a Web portal that enables users to search
for software products by name, product type and security level.  
Federal officials will be able to make purchasing decisions, for
example, based on whether a security configuration checklist exists
for a particular product.

Software makers, businesses and government agencies are beginning to
reach consensus on security controls that can be tolerated without
breaking the programs that run on computers, said Clint Kreitner,
president and chief executive officer of the Center for Internet
Security. The center develops security configurations through a
process based on consensus and testing.

On the basis of those consensus configurations, Kreitner said,
companies such as Dell Inc. have begun shipping computers with a
secure configuration of Windows 2000. In a few months, Dell will sell
computers with a similar security configuration for Windows XP.

Microsoft also has shipped its Windows Server 2003 software with
recommended security settings in place, Kreitner said. And the company
is working with the configuration standards group to do the same with
Exchange 2003, Microsoft's suite of collaboration software.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
(Broke? Spend 15 minutes a day on the project!)