CSRC System Administration

MS Windows

Other Resources
Our Sponsor


white space white space

SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals

SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals, has been published as final. It seeks to assist IT professionals in securing Windows XP Professional systems running Service Pack 2 or 3. The guide provides detailed information about the security features of Windows XP and security configuration guidelines. SP 800-68 Revision 1 updates the original version of SP 800-68, which was released in 2005.

NIST Windows Security Baseline Database (Beta)

The NIST Windows Security Baseline Database is being released for public comment. The database contains information on security setting baselines for Microsoft Windows XP, Windows Vista, Internet Explorer 7 (IE7), and Windows Firewall that are specified in NIST security templates and in the Federal Desktop Core Configuration (FDCC) Major Version 1.0. The database allows interested parties to view security settings by baseline or by policy (e.g., FDCC), as well as to compare baselines to each other. The information in the database is intended to supplement Draft SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals.

Description of the Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist - Special Publication 800-68

NIST Special Publication 800-68 has been created to assist IT professionals, in particular Windows XP system administrators and information security personnel, in effectively securing Windows XP Professional SP2 systems. It discusses Windows XP and various application security settings in technical detail. The guide provides insight into the threats and security controls that are relevant for various operational environments, such as for a large enterprise or a home office. It describes the need to document, implement, and test security controls, as well as to monitor and maintain systems on an ongoing basis. It presents an overview of the security components offered by Windows XP and provides guidance on installing, backing up, and patching Windows XP systems. It discusses security policy configuration, provides an overview of the settings in the accompanying NIST security templates, and discusses how to apply additional security settings that are not included in the NIST security templates. It demonstrates securing popular office productivity applications, Web browsers, e-mail clients, personal firewalls, antivirus software, and spyware detection and removal utilities on Windows XP systems to provide protection against viruses, worms, Trojan horses, and other types of malicious code. This list is not intended to be a complete list of applications to install on Windows XP system, nor does it imply NIST's endorsement of particular commercial off-the-shelf (COTS) products.

Comments and questions may be addressed to itsec@nist.gov.

Frequently Asked Questions - FAQ
1. Why did NIST develop this publication?

It is a complicated and time-consuming task for even experienced system administrators to know what a reasonable set of security settings are for a complex operating system such as Windows XP Professional. NIST sought to make this task simpler, easier, and more secure by developing this publication. NIST maintains, along with major segments of the security community who participated in reviewing and testing the publication's baseline settings, that the settings make a substantial improvement in the security posture of WinXP systems.

2. How does the SP 800-68 relate to the Federal Information Security Management Act (FISMA)?

One of the requirements of the FISMA legislation is that Federal agency systems must be compliant with minimally acceptable system configuration requirements. By implementing the publication's recommendations, its security templates, and its other general prescriptive recommendations, organizations should be able to meet the baseline system configuration requirements for Windows XP systems. This is based upon the management, operational, and technical security controls described in the draft NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems.

3. How does the SP 800-68 relate to the NIST Security Configuration Checklist For IT Products program?

The guide represents a typical security configuration checklist that is included in the NIST program's checklist repository. It is consistent with the criteria outlined in the Special Publication 800-70, The NIST Security Configuration Checklist for IT Products Program. It was produced using the guidelines and security principles referenced in SP 800-70.

4. How were the publication and security templates developed?

The publication was developed by NIST; however, NIST started with excellent material developed by the National Security Agency (NSA), DISA (Defense Information Systems Agency), U.S. Airforce (USAF), Microsoft, and other members of the security community. NIST collaborated with NSA, DISA, the Center for Internet Security (CIS) and Microsoft to produce the publication's consensus baseline settings for various operational environments, in particular the Specialized Security-Limited Functionality templates.

5. Who is the intended audience?

The intended audience is Windows XP Systems Administrators and technical Windows XP Systems users. The document assumes that the reader has experience installing and administering Windows-based systems in domain or stand-alone configurations. The FDCC baseline was produced under the direction of OMB.

6. I have a Windows XP Home Edition, Windows 95, Windows 98, Windows NT, Windows 2000, Windows Server 2003, or Windows Server 2008. Should I apply these templates to my machine?

No. These recommendations and security templates may break your system. The templates should be applied only to Windows XP Professional SP2 systems.

7. Will non-WinXP compliant legacy applications be broken if I install these templates?

Some legacy applications that are not Windows XP compliant may not function properly and may require additional testing and experimentation. Perform a full system backup before applying the recommendations.

8. Should I test this before applying it in my environment?

Yes. Test the recommended settings on a carefully selected test machine first.

9. What about power users?

Power Users is an insecure group designed to (1) provide backward compatibility for applications that are not certified for Windows XP, and (2) perform basic administrative tasks in a Windows XP Systems workgroup environment. It is restricted from use by the publication's templates.

10. What is the impact caused by applying the Specialized Security-Limited Functionality template and the FDCC GPOs?

The Specialized Security-Limited Functionality template and the FDCC GPOs contain the more restrictive settings and will reduce the functionality and interoperability of the Windows XP system. They will reduce the usability of a typical system found in a multi-purpose managed environment and will break legacy or other general-purpose applications. They should only be used by the experienced security specialists and seasoned system administrators who understand the impact of implementing these strict requirements.

11. Is NIST going to keep this up-to-date?

Yes. The NIST Windows Security Baseline Database, FDCC GPOs, and security templates will be updated to reflect the most current recommended settings.

12. Should I make changes to the baseline settings?

Given the wide variation in operational and technical considerations for operating any major enterprise, it is appropriate that some local changes will need to be made to the baseline and the associated settings (with hundreds of settings, a myriad of applications, and the variety of business functions supported by Windows XP Systems, this should be expected). Of course, use caution and good judgment in making changes to the security settings. Always test the settings on a carefully selected test machine first and document the implemented settings.

13. Is NIST endorsing or mandating the use of the Windows XP Systems or requiring each setting be applied as stated?

No. NIST does not endorse the use of any particular product or system. NIST is not mandating the use of the Windows XP Systems nor is NIST establishing conditions or prerequisites for Federal agency procurement or deployment of any system. NIST is not precluding any Federal agency from procuring or deploying other computer hardware or software systems for which NIST has not developed a publication or a security configuration checklist.

E-mail Notification of Updates

If you would like to be notified of updates to the Special Publication 800-68, send an e-mail message to itsec@nist.gov with the words subscribe SP 800-68 in the subject line.


Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

Last updated: October 10, 2008
Page created: January10, 2001

Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to itsec@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration