NIST SP800-68r1：Windows XP安全配置指南

需积分: 9 191 浏览量更新于2024-07-16 收藏 1.37MB PDF 举报

"NIST SP800-68r1.pdf" 是一份由美国国家标准与技术研究所（NIST）发布的指南，旨在帮助IT专业人员在不同环境下安全配置Windows XP工作站、移动计算机和远程办公计算机。这份指南专门针对运行Service Pack 2 (SP2)或Service Pack 3 (SP3)的Windows XP Professional系统。它提供了Windows XP的安全特性详解，流行应用程序的安全配置指南，以及Windows XP操作系统本身的配置指南。该文档的主要目标是推荐并解释经过测试的安全设置，以简化在小型办公室/家庭办公室（SOHO）、企业、特殊安全有限功能（SSLF）、遗留和联邦桌面核心配置（FDCC）五种环境下的Windows XP系统安全提升的管理负担。所提出的控制措施与NIST SP 800-53中表示的IT系统的最低安全控制一致。此指南及其关联模板是为了支持NIST的国家检查表计划而创建的。 NIST SP800系列标准是美国政府对信息技术系统安全的权威指导，其中SP800-68r1聚焦于Windows XP的安全配置，为IT专业人士提供了实施每项推荐安全设置的方法。作者包括Karen Scarfone、Murugiah Souppaya和Paul M. Johnson，他们都是在计算机安全领域有着深厚经验的专家。该文档详细阐述了如何根据NIST的建议来保护Windows XP系统，包括但不限于设置防火墙、更新和补丁管理、用户权限管理、数据加密、审计日志记录等方面。此外，它还讨论了如何在SOHO环境中确保家庭办公室设备的安全，以及在企业环境中如何实现更高级别的安全策略。对于SSLF环境，它提出了更为严格的安全限制，以减少攻击面。对于遗留系统，指南提供了解决方案以应对旧版软件和硬件的安全挑战。最后，FDCC是联邦机构的标准配置，旨在标准化联邦政府的桌面安全。 NIST SP800-68r1是IT专业人员维护和增强Windows XP系统安全的重要参考文献，提供了实用的步骤和建议，有助于确保这些系统在不断演变的威胁环境中保持安全。

GUIDE TO SECURING MICROSOFT WINDOWS XP SYSTEMS FOR IT PROFESSIONALS

Figure 2-1. The Facets of Windows XP Security

2.1 Windows XP System Roles and Requirements

Windows XP security should take into account the role that the system plays. For the purposes of this

guide, Windows XP systems can be divided into three roles: inward-facing, outward-facing, and mobile.

 Inward-Facing. An inward-facing XP system is typically a user workstation on the interior of a

network that is not directly accessible from the Internet. Physical access is also generally limited in

some manner (e.g., only employees have access to the work area). In many environments, inward-

facing systems share a common hardware and software configuration because they are centrally

deployed and managed (e.g., Microsoft domains, Novell networks). Because an inward-facing

system is usually in the same environment all the time (e.g., desktop on the corporate local area

network [LAN]), the threats against the system do not change quickly. In general, inward-facing

systems are relatively easy to secure, compared to outward-facing and mobile systems.

 Outward-Facing. An outward-facing XP system is one that is directly connected to the Internet.

The classic example is a home computer that connects to the Internet through dial-up or broadband

access. Such a system is susceptible to scans, probes, and attacks launched against it by remote

attackers. It typically does not have the layers of protection that an inward-facing system typically

has, such as network firewalls and intrusion detection systems. Outward-facing systems are often at

high risk of compromise because they have relatively high security needs, yet are typically

administered by users with little or no security knowledge. Also, threats against outward-facing

systems may change quickly since anyone can attempt to attack them at any time.

 Mobile. A system with a mobile role typically moves between a variety of environments and

physical locations. For network connectivity, this system might use both traditional wired methods

(e.g., Ethernet, dialup) and wireless methods (e.g., IEEE 802.11). The mobility of the system makes

2-2

GUIDE TO SECURING MICROSOFT WINDOWS XP SYSTEMS FOR IT PROFESSIONALS

it more difficult to manage centrally. It also exposes the system to a wider variety of threat

environments; for example, in a single day the system might be in a home environment, an office

environment, a wireless network hotspot, and a hotel room. An additional threat is the loss or theft of

the system. This could lead to loss of productivity at a minimum, but could also include the

disclosure of confidential information or the possible opening of a back door into the organization if

remote access is not properly secured.

2.2 Security Categorization of Information and Information Systems

The classic model for information security defines three objectives of security: maintaining

confidentiality, integrity, and availability. Confidentiality refers to protecting information from being

accessed by unauthorized parties. Integrity refers to ensuring the authenticity of information—that

information is not altered, and that the source of the information is genuine. Availability means that

information is accessible by authorized users. Each objective addresses a different aspect of providing

protection for information.

Determining how strongly a system needs to be protected is based largely on the type of information that

the system processes and stores. For example, a system containing medical records probably needs much

stronger protection than a computer only used for viewing publicly released documents. This is not to

imply that the second system does not need protection; every system needs to be protected, but the level

of protection may vary based on the value of the system and its data. To establish a standard for

determining the security category of a system, NIST created Federal Information Processing Standards

(FIPS) Publication (PUB) 199, Standards for Security Categorization of Federal Information and

Information Systems.

FIPS PUB 199 establishes three security categories—low, moderate, and high—

based on the potential impact of a security breach involving a particular system. The FIPS PUB 199

definitions for each category are as follows:

“The potential impact is LOW if the loss of confidentiality, integrity, or availability could

be expected to have a limited adverse effect on organizational operations, organizational

assets, or individuals. A limited adverse effect means that, for example, the loss of

confidentiality, integrity, or availability might (i) cause a degradation in mission

capability to an extent and duration that the organization is able to perform its primary

functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor

damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor

harm to individuals.

The potential impact is MODERATE if the loss of confidentiality, integrity, or

availability could be expected to have a serious adverse effect on organizational

operations, organizational assets, or individuals. A serious adverse effect means that, for

example, the loss of confidentiality, integrity, or availability might (i) cause a significant

degradation in mission capability to an extent and duration that the organization is able to

perform its primary functions, but the effectiveness of the functions is significantly

reduced; (ii) result in significant damage to organizational assets; (iii) result in significant

financial loss; or (iv) result in significant harm to individuals that does not involve loss of

life or serious life threatening injuries.

The potential impact is HIGH if the loss of confidentiality, integrity, or availability could

be expected to have a severe or catastrophic adverse effect on organizational operations,

organizational assets, or individuals. A severe or catastrophic adverse effect means that,

FIPS PUB 199 is available for download from http://csrc.nist.gov/publications/PubsFIPS.html.

2-3

GUIDE TO SECURING MICROSOFT WINDOWS XP SYSTEMS FOR IT PROFESSIONALS

for example, the loss of confidentiality, integrity, or availability might (i) cause a severe

degradation in or loss of mission capability to an extent and duration that the organization

is not able to perform one or more of its primary functions; (ii) result in major damage to

organizational assets; (iii) result in major financial loss; or (iv) result in severe or

catastrophic harm to individuals involving loss of life or serious life threatening injuries.”

Each system should be protected based on the potential impact to the system of a loss of confidentiality,

integrity, or availability. Protection measures (otherwise known as security controls) tend to fall into two

categories. First, security weaknesses in the system need to be resolved. For example, if a system has a

known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is

removed or mitigated. Second, the system should offer only the required functionality to each authorized

user, so that no one can use functions that are not necessary. This principle is known as least privilege.

Limiting functionality and resolving security weaknesses have a common goal: give attackers as few

opportunities as possible to breach a system.

Although each system should ideally be made as secure as possible, this is generally not feasible because

the system needs to meet the functional requirements of the system’s users. Another common problem

with security controls is that they often make systems less convenient or more difficult to use. When

usability is an issue, many users will attempt to circumvent security controls; for example, if passwords

must be long and complex, users may write them down. Balancing security, functionality, and usability is

often a challenge. This guide attempts to strike a proper balance and make recommendations that provide

a reasonably secure solution while offering the functionality and usability that users require.

Another fundamental principle endorsed by this guide is using multiple layers of security. For example, a

host may be protected from external attack by several controls, including a network-based firewall, a

host-based firewall, and OS patching. The motivation for having multiple layers is that if one layer fails

or otherwise cannot counteract a certain threat, other layers might prevent the threat from successfully

breaching the system. A combination of network-based and host-based controls is generally most

effective at providing consistent protection for systems.

NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information Systems, proposes

minimum baseline management, operational, and technical security controls for information systems.

These controls are to be implemented based on the security categorizations proposed by FIPS 199, as

described earlier in this section. This guidance should assist agencies in meeting baseline requirements

for Windows XP Professional systems deployed in their environments.

2.3 Baseline Security Controls and Threat Analysis Refinement

To secure a system, it is essential first to define the threats that need to be mitigated. This knowledge of

threats is also key to understanding the reasons the various configuration options have been chosen in this

guide. Most threats against data and resources are possible because of mistakes—either bugs in operating

system and application software that create exploitable vulnerabilities, or errors made by users and

administrators. Threats may involve intentional actors (e.g., an attacker who wants to access credit cards

on a system) or unintentional actors (e.g., an administrator who forgets to disable user accounts of a

terminated employee). Threats can be local, such as a disgruntled employee, or remote, such as an

attacker in another country. The following sections describe each major threat category, list possible

controls, provide examples of threats, and summarize the potential impact of the threat. The list of threats

is not exhaustive; it simply represents the major threat categories that were considered during the

selection of the security controls as described in this guide. Organizations should conduct risk

NIST SP 800-53 Revision 2, created in response to FISMA, is available at http://csrc.nist.gov/publications/PubsSPs.html.

2-4

GUIDE TO SECURING MICROSOFT WINDOWS XP SYSTEMS FOR IT PROFESSIONALS

assessments to identify the specific threats against their systems and determine the effectiveness of

existing security controls in counteracting the threats, then perform risk mitigation to decide what

additional measures (if any) should be implemented.

2.3.1

Local Threats

Local threats either require physical access to the system or logical access to the system (e.g., an

authorized user account). Local threats are grouped into three categories: boot process, unauthorized

local access, and privilege escalation.

2.3.1.1 Boot Process

 Threat: An unauthorized individual boots a computer from third-party media (e.g., removable

drives, Universal Serial Bus [USB] token storage devices). This could permit the attacker to

circumvent operating system (OS) security measures and gain unauthorized access to information.

 Examples:

– While traveling, an employee misplaces a laptop, and the party that acquires it tries to see what

sensitive data it contains.

– A disgruntled employee boots a computer off third-party media to circumvent other security

controls so the employee can access sensitive files (e.g., confidential data stored locally, local

password file).

 Impact: Unauthorized parties could cause a loss of confidentiality, integrity, and availability.

 Possible Controls:

– Implement physical security measures (e.g., locked doors, badge access) to restrict access to

equipment.

– Enable a strong and difficult-to-guess password for the Basic Input Output System (BIOS), and

configure the BIOS to boot the system from the local hard drive only, assuming that the case

containing the OS and data is physically secure. This will help protect the data unless the hard

drive is removed from the computer.

– Secure local files via encryption to prevent access to data in the event the physical media is

placed in another computer.

2.3.1.2 Unauthorized Local Access

 Threat: An individual who is not permitted to access a system gains local access.

 Examples:

NIST SP 800-30, Risk Management Guide for Information Technology Systems, contains guidance on performing risk

assessment and mitigation. It is available for download from

http://csrc.nist.gov/publications/PubsSPs.html.

Organizations should have a physical and environmental protection policy that includes requirements for providing adequate

physical security for systems and networks. Most technical controls can be easily defeated without physical security.

2-5

GUIDE TO SECURING MICROSOFT WINDOWS XP SYSTEMS FOR IT PROFESSIONALS

– A visitor to a company sits down at an unattended computer and logs in by guessing a weak

password for a default user account.

– A former employee gains physical access to facilities and uses old credentials to log in and gain

access to company resources.

 Impact: Because the unauthorized person is masquerading as an authorized user, this could cause a

loss of confidentiality and integrity; if the user has administrative rights, this could also cause a loss

of availability.

 Possible Controls:

– Require valid username and password authentication before allowing any access to system

resources, and enable a password-protected screen saver. These actions help to prevent an

attacker from walking up to a computer and immediately gaining access.

– Enable a logon banner containing a warning of the possible legal consequences of misuse.

– Implement a password policy to enforce stronger passwords, so that it is more difficult for an

attacker to guess passwords.

– Do not use or reuse a single password across multiple accounts; for example, the password for a

personal free e-mail account should not be the same as that used to gain access to the Windows

XP host.

– Establish and enforce a checkout policy for departing employees that includes the immediate

disabling of their user accounts.

– Physically secure removable storage devices and media, such as CD-ROMs, that contain valuable

information. An individual who gains access to a workspace may find it easier to take removable

media than attempt to get user-level access on a system.

2.3.1.3 Privilege Escalation

 Threat: An authorized user with normal user-level rights escalates the account’s privileges to gain

administrator-level access.

 Examples:

– A user takes advantage of a vulnerability in a service to gain administrator-level privileges and

access another user’s files.

– A user guesses the password for an administrator-level account, gains full access to the system,

and disables several security controls.

 Impact: Because the user is gaining full privileges on the system, this could cause a loss of

confidentiality, integrity, and availability.

The Department of Justice provides sample banners in Appendix A of Searching and Seizing Computers and Obtaining

Electronic Evidence in Criminal Investigations, available for download at

http://www.cybercrime.gov/s&smanual2002.htm.

2-6

剩余126页未读，继续阅读

艾米的爸爸

粉丝: 793
资源: 314

NIST SP800-68r1：Windows XP安全配置指南

NIST SP800-88r1.pdf

NIST SP800-88_rev1.pdf

NIST SP800-177r1.pdf

NIST SP800-163r1.pdf

NIST SP800-83r1.pdf

NIST SP800-126r1.pdf

NIST SP800-46r1.pdf

NIST SP800-101r1.pdf

NIST SP800-48r1.pdf

NIST SP800-124r1.pdf

最新资源