ITL Bulletin for November 2006

ITL Bulletin for November 2006
ITL Bulletin for November 2006

Forwarded from: Elizabeth Lennon  



Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

Users of home computers must deal with many threats to the security of 
their systems, including sophisticated attacks by people who 
deliberately attempt to cause mischief, disrupt operations, commit 
fraud, and steal identities.  Remotely launched attacks can spread 
malicious code and software, known as malware, through e-mail, malicious 
Web sites, and file downloads. These attacks may result in the insertion 
of viruses, worms, and spyware into home systems.

People attacking home computer systems can easily find information on 
the Internet to assist them in their activities. Information is readily 
available about vulnerabilities that are found in information technology 
(IT) products on a daily basis. Information about ready-to-use exploits 
and attacks can also be located readily. Since many IT products serve a 
wide range of users and systems, restrictive security controls are 
usually not enabled in systems by default. The available controls must 
be selected and installed appropriately for the individual systems. If 
the controls are not installed, the IT products are vulnerable. 
Therefore, many IT products are immediately vulnerable when they are 
installed out-of-the-box. Even experienced system administrators find 
that it is a complicated, arduous, and time-consuming task to identify a 
reasonable set of security settings for many IT products.  But without 
the proper protection, home computer users are vulnerable to threats and 

The security issues that challenge home computer users are of paramount 
concern to federal agency staff members who telecommute, using laptop 
computers, mobile devices, and home computers. Unless these systems are 
specifically protected, they can be less secure than those that are used 
within the federal organizational setting. The Information Technology 
Laboratory (ITL) at the National Institute of Standards and Technology 
(NIST) has developed general guidance for securing workstations and 
small computer installations, with a focus on specific guidance 
applicable to those systems running Windows XP Home Edition.

NIST Special Publication (SP) 800-69, Guidance for Securing Windows XP 
Home Edition: A NIST Security Configuration Checklist

Issued in September 2006, NIST SP 800-69, Guidance for Securing Windows 
XP Home Edition: A NIST Security Configuration Checklist, 
Recommendations of the National Institute of Standards and Technology 
(NIST), was written by Karen Kent and Murugiah Souppaya of NIST and John 
Connors of Booz Allen Hamilton. The publication is designed to alert 
home computer users to the threats to their systems and to make them 
aware of the security measures that are available for protecting 
systems. The information presented in the guide draws on extensive 
vendor knowledge and on the experience of government and security 
community experts. The Department of Homeland Security supported the 
development of the publication.

The guide explains the need to secure Windows XP Home Edition computers 
and the security protections that are available to reduce weaknesses, 
protect privacy, stop attacks, and preserve data. NIST SP 800-69 
provides practical guidance on how to install Windows XP Home Edition, 
how to secure new and existing installations, how to secure user 
accounts and settings, and how to maintain and monitor the security 
settings. The guidance applies generally to home desktop and laptop 
systems that run Windows XP Home Edition as the operating system.

In addition, the appendices contain step-by-step instructions for 
implementing additional security recommendations for computers with 
Windows XP Home Edition operating systems running Service Pack 2. 
Instructions are provided for securing certain applications, such as 
antivirus software, antispyware software, personal firewalls, e-mail 
clients, Web browsers, instant messaging clients, and office 
productivity suites.

The appendices also provide useful information about various tools, 
which are discussed in the publication, and which can be used to 
configure, manage, and monitor Windows XP Home Edition security 
settings. Other features include a glossary of terms used in the guide, 
a listing of acronyms, and a listing of in-print and online resources 
that should be helpful to people who want to learn more about Windows XP 
Home Edition and how to secure it.

The guide is available on NIST's Web pages at: 

NIST Security Configuration Checklists

NIST SP 800-69 supports the NIST Security Configuration Checklists 
Program for IT Products. Checklists of security settings, such as NIST 
SP 800-69, are useful tools that have been developed to guide IT 
administrators and security personnel in selecting effective security 
settings that will reduce the risks of Internet connections and protect 
systems from attacks. A checklist, sometimes called a security 
configuration guide, lockdown guide, hardening guide, security technical 
implementation guide, or benchmark, is basically a series of 
instructions for configuring an IT product to an operational 
environment.  Checklists can be effective in reducing vulnerabilities in 
systems, especially for small organizations with limited resources. IT 
vendors often create checklists for their own products, but other 
organizations such as consortia, academic groups, and government 
agencies also develop them.

NIST's checklists program provides a structure for the development and 
sharing of security configuration checklists. A central repository has 
been established for checklists that have been developed by 
organizations and submitted to NIST. This enables users to find 
checklists easily. NIST assists developers in making checklists that 
conform to common operational environments and associated baseline 
levels of security, and that are well documented and easy to use. A 
managed process provides for the review, update, and maintenance of the 

Information about NIST's checklist program is available at: 

Need to Secure Windows XP Home Edition

Users of Windows XP Home Edition need to be aware of the threats to the 
security of their systems and the security protections that will 
eliminate or reduce system vulnerabilities. The most common threat to 
these systems is malware, also known as malicious code, a computer 
program that is covertly placed onto a computer with the intent to 
compromise the privacy, accuracy, or reliability of the computer's data, 
applications, or operating system. Common types of malware threats are:

* Viruses - self-replicating code that makes copies of itself and 
  distributes the copies to other files, programs, or computers.

* Worms - self-replicating programs that are completely self-contained 
  and self-propagating.

* Malicious mobile code - malicious software that is transmitted from a 
  remote system to be executed on a local system without the user's 
  explicit instruction.

* Trojan horses - non-replicating programs that appear to be benign but 
  that have hidden malicious purposes.

* Rootkits - collections of files that are installed onto computers to 
  alter their functionality in a malicious and stealthy way, including 
  installing and hiding other types of malware.

Security protections, also called security controls, are the measures 
used to thwart threats and to compensate for the computer's security 
weaknesses, or vulnerabilities.  Threats are directed to take advantage 
of the vulnerabilities. Security protections can eliminate some of the 
vulnerabilities and also prevent attacks from taking advantage of 
vulnerabilities that cannot be eliminated.  Security protections include 
the following:

* Technical protection - configuring a computer to restrict the actions 
  that can be performed with the computer and to monitor the actions 
  that are performed.  Examples include the use of username and password 
  to limit access to a computer or service, or the use of a feature in 
  an application that automatically downloads and installs new versions 
  of the application with previous errors corrected.

* Operational protection - the actions performed by computer users. 
  Examples are the use of antivirus software to check a user's files, 
  e-mails, and Web browsing for malware and to quarantine or delete any 
  malware and prevent the malware from infecting the computer and 
  causing damage.  Other examples are making backup copies of users' 
  files, keeping a computer and the computer's removable media in a 
  locked room, and users learning how to use a computer securely.

* Management protection - oversight of the security of computers. While 
  taking place mostly within an organizational setting, management 
  oversight also includes practices such as users performing periodic 
  reviews of the security of their systems and identifying 

Security protections cannot prevent all attacks, but they can greatly 
reduce the opportunities that attackers have to gain access to a 
computer or to damage the computer's software or information. A 
combination of security protections may be needed to secure a Windows XP 
Home Edition computer effectively and to maintain its security 
protection. Then, if one protection fails or is ineffective against a 
particular threat, other protections are likely to prevent the threat 
from succeeding. Windows XP Home Edition computers should be secured 
using a combination of technical and operational protections, such as 
antivirus software, Windows XP Home Edition configuration settings, and 
user education and security awareness activities.  Security protections 
should be updated on a regular basis because new vulnerabilities in 
software are discovered on an ongoing basis.

NIST Recommendations for Securing Windows XP Home Edition

NIST recommends the following actions to improve the security of systems 
running Windows XP Home Edition:

Users should eliminate any known weaknesses in their Windows XP Home 
Edition computers because attackers will attempt to take advantage of 

Known weaknesses should be eliminated through a combination of several 
methods, including the following:

* Install Windows XP Home Edition Service Pack 2 (SP2) and apply 
  software updates to the computer on a regular basis, including Windows 
  XP Home Edition and software applications.

* Limit access to the computer through separate password-protected user 
  accounts for each person.

* Limit network access by disabling unneeded networking features, 
  limiting the use of remote access utilities and configuring wireless 
  networking securely.

* Disable services that are not needed.

Users should configure their Windows XP Home Edition computers to use a 
combination of software and software features that are designed 
specifically to stop attacks, particularly malware.

Every Windows XP Home Edition computer should use antivirus software, 
antispyware software, and a personal firewall at all times, and they 
should be kept up to date. Other helpful software performs the filtering 
of spam and Web content and carries out popup blocking. Users can also 
change settings on common applications such as e-mail clients, Web 
browsers, instant messaging clients, and office productivity suites to 
stop some attacks.

Users or administrators of Windows XP Home Edition computers should 
periodically perform backups that duplicate data from the computer onto 
another medium.

Performing regular backups helps to ensure that user data is available 
if an unfortunate event should occur, such as an attack against the 
computer, a hardware failure, a natural disaster, or human error. User 
data should be backed up periodically, on a weekly or monthly schedule, 
for example. Some of the options available for performing backups on 
Windows XP Home Edition computers are the use of utilities built into 
Windows XP Home Edition, as well as the use of third-party utilities and 
remote backup services.

Users or administrators of Windows XP Home Edition computers that 
connect to the Internet should ensure that they are protected properly 
from Internet-based threats.

The five most important protections that should be used for all Windows 
XP Home Edition computers connecting to the Internet are:

* Apply updates to the operating system and major applications, such as 
  e-mail clients and Web browsers, regularly. The updates should be done 
  through an automated process that checks for updates frequently.

* Use a limited user account for typical daily tasks on the computer. 
  Full privileges should be used only when performing computer 
  management tasks, such as installing updates and applications 
  software, managing user accounts, and modifying software and settings.

* Run up-to-date antivirus software and antispyware software that is 
  configured to monitor the computer and applications often used to 
  spread malware, such as Web browsing and e-mail, and to quarantine or 
  delete any identified malware.

* Use a personal firewall that is configured to restrict incoming 
  network communications to only that which is required.

* Perform regular backups so that data can be restored in case an 
  adverse event occurs.

For More Information

NIST SP 800-68, Guidance for Securing Microsoft Windows XP Systems for 
IT Professionals: A NIST Security Configuration Checklist, assists IT 
professionals, and particularly Windows XP system administrators and 
information security personnel, in securing Windows XP Professional 
systems running Service Pack 2.

NIST SP 800-70, Security Configuration Checklists Program for IT 
Products: Guidance for Checklist Users and Developers, discusses the 
development and dissemination of security configuration checklists to 
help users and developers of IT products secure their IT products and 

NIST SP 800-83, Guide to Malware Incident Handling and Prevention: 
Recommendations of the National Institute of Standards and Technology, 
assists organizations and users in planning and implementing security 
programs to prevent malware incidents as much as possible and to limit 
damage from any incidents that might occur.

NIST publications assist organizations in planning and implementing a 
comprehensive approach to IT security. For information about NIST 
standards and guidelines that are referenced in the Windows XP guide, as 
well as other security-related publications, see NIST's Web page: 

Any mention of commercial products or reference to commercial 
organizations is for information only; it does not imply recommendation 
or endorsement by NIST nor does it imply that the products mentioned are 
necessarily the best available for the purpose.

Elizabeth B. Lennon
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods