CSRC System Administration

MS Windows

Other Resources
Our Sponsor


white space white space

Description of the NIST Systems Administration Guidance for Windows 2000 Professional - Special Publication 800-43

The Systems Administration Guidance for Windows 2000 Professional publication is intended to assist the users and system administrators of Windows 2000 Professional systems in configuring their hosts by providing configuration templates and security checklists. The guide provides detailed information about the security features of Win2K Pro, security configuration guidelines for popular applications, and security configuration guidelines for the Win2K Pro operating system. The guide documents the methods that the system administrators can use to implement each security setting. The principal goal of the document is to recommend and explain tested secure settings for Win2K Pro workstations with the objective of simplifying the administrative burden of improving the security of Win2K Pro systems.

This guidance document also includes recommendations for testing and configuring common Windows applications. The application types include electronic mail (e-mail) clients, Web browsers, productivity applications, and antivirus scanners. This list is not intended to be a complete list of applications to install on Windows 2000 Professional, nor does it imply NIST's endorsement of particular commercial off-the-shelf (COTS) products. Many of the configuration recommendations for the tested Windows applications focus on deterring viruses, worms, Trojan horses, and other types of malicious code. The guide presents recommendations to protect the Windows 2000 Professional system from malicious code when the tested applications are being used.

Comments and questions may be addressed to itsec@nist.gov.

Frequently Asked Questions - FAQ
1. Why did NIST develop this publication?

It is a complicated, arduous, and time-consuming task for even experienced system administrators to know what a reasonable set of security settings are for a complex operating system. NIST sought to make this task simpler, easier, and more secure. NIST believes, along with major segments of the security community, who participated in reviewing and testing these baseline settings that these settings make a substantial improvement in the security posture of Win2K Professional systems. By using and applying the expertise of the security community via these consensus settings and the NIST special publications and consciously patching or mitigating known vulnerabilities you can certainly markedly reduce your vulnerability exposure.

2. How were the publication and security templates developed?

The special publication was developed by NIST. NIST started with some excellent material developed by the National Security Agency (NSA) and the Security Community. The NIST security templates development were initially based in part on the National Security Agency's (NSA) Win2K Pro guidance. NIST examined the NSA settings and guidance and built on the excellent material they developed. NIST conducted extensive analysis and testing of the NSA settings, substantially extended and refined the NSA template settings, and developed additional template settings. NIST developed detailed explanatory material for the template settings, Win2K Pro security configuration, and application specific security configuration guidance. Subsequently, NIST led the development of a consensus baseline of Win2K security settings in collaboration with the public and private sectors, specifically NSA, Defense Information Systems Agency (DISA), the Center for Internet Security (CIS), and the SysAdmin Network Security Institute (SANS). Microsoft also provided valuable technical commentary and advice. GSA also reviewed and concurred with the baseline. The consensus settings are reflected in the NISTWin2kProGold.inf security template.

3. Who is the intended audience?

The intended audience is composed of Windows 2000 Systems Administrators and technical Windows 2000 Professional users working in managed environments. The document assumes that the reader has some experience installing and administering Windows-based systems in domain or stand-alone configurations.

4. I have a Windows NT, Windows XP, or Windows 2000 server. Should I apply these templates to my machine?

No. These recommendations and security templates should be applied only to the Windows 2000 Professional workstation.

5. I am a home user. Should I apply this to my Windows 2000 Professional system?

This guide is intended for managed environments and NIST recommends that the users who are directly applying this guide to secure their computers have significant competence in the administration of Windows systems. Applying these settings to a home system may break legacy applications that are not Windows 2000 compliant.

6. Will legacy applications be broken?

Some legacy applications that are not Windows 2000 compliant may not function properly and may require additional testing and experimentation. Perform a full system backup before applying the recommendations.

7. Should I test this before applying it in my environment?

Yes. Test the recommended settings on a carefully selected test machine before being applied to operational systems.

8. What about power users?

Power users group is an insecure group designed to provide backward compatibility for applications that are not certified for Windows 2000 and to perform basic administrative tasks in a Windows 2000 Professional workgroup environment.

9. Are you going to keep this up to date?

Yes. The Appendix B and security templates will be updated to reflect the most current consensus settings.

10. How does the NIST template relate to the template developed by CIS?

The NIST templates represent the consensus settings found in the CIS template except that we add settings that will allow a user to operate Netscape Communicator 4.7x in a user context. In addition, the NISTWin2kProGoldPlus.inf template includes restrictions on various executables to provide added protection for sites that require it.

11. Should I use the CIS tools?

The CIS tool can be used to verify how well a system matches the recommended baseline security for Windows 2000 Professional. Refer to the Appendix C - Tools for a list of other tools, i.e. hfnetchk, MBSA, etc.

12. Should I make changes to the baseline settings?

It is inevitable and appropriate that some local changes will need to be made to the baseline and the associated settings given the wide variation in operational and technical considerations that go into operating any major enterprise. With hundreds of settings and the myriad of applications used and supported by the Win 2000 Professional system and the variety of missions and business functions supported, this should be expected. Of course, use caution and good judgment in making changes to the security settings.

13. Is NIST endorsing or mandating the use of the Win 2000 Professional System or requiring each setting be applied as stated?

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Win 2000 Professional System nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. As stated above, NIST is not requiring agencies to select specific settings or options recommended in the publication. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security checklist.

Supporting Documents

E-mail Notification of Updates

If you would like to be notified of updates to the Systems Administration Guidance for Windows 2000 Professional publication, please send an e-mail message to itsec@nist.gov requesting to be on the notification list.


Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

Last updated: November 25, 2002
Page created: January10, 2001

Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to itsec@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration