In-Depth

In Brief

Windows XP security best practices, better SAML administration

• By Mathew Schwartz
• 07/14/2004

NIST Tackles Windows XP Security

The National Institute of Standards and Technology (NIST) released Special Publication 800-68, “Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist.”

In particular, the 147-page PDF discusses how to effectively secure Windows XP and applications running on the operating system, especially in light of today’s most prevalent attacks.

In the release notes for the report, NIST notes, “It is a complicated and time-consuming task for even experienced system administrators to know what a reasonable set of security settings are for a complex operating system such as Windows XP Professional. NIST sought to make this task simpler, easier, and more secure by developing this publication.” The guide was developed by NIST, as well as the National Security Agency (NSA), DISA (Defense Information Systems Agency), Microsoft, and “other members of the security community.”

Of special interest is the report’s Appendix B, which details security changes in the forthcoming Windows XP Service Pack 2 (SP2), which is now in public beta testing. For example, Windows Firewall replaces the Windows XP Internet Connection Firewall (ICF) and simplifies administration—if properly configured.

Other new SP2 security features detailed in the report: Windows Updates can distribute patches for Microsoft software and some hardware, and it can prioritize security update installation; a “Security Center” provides a single interface for examining all security settings on a device; SP2 prevents anonymous use of DCOM and RPC; and on machines running newer processors with NX support, SP2 can prevent most kinds of buffer overflows.

The guide is especially required reading for Federal agencies, whose systems must comply with the Federal Information Security Management Act (FISMA), which mandates minimum system configurations. “By implementing the publication’s recommendations, its security templates, and its other general prescriptive recommendations, organizations should be able to meet the baseline system configuration requirements for Windows XP systems,” says NIST. (For more on government requirements, IT managers can also look to the draft of NIST’s Special Publication 800-53, “Recommended Security Controls for Federal Information Systems.”)

One Windows XP feature NIST cautions against using, labeling it insecure, is Power Users. The feature provides backwards compatibility for applications that are not Windows XP-certified. Power Users can also “perform basic administrative tasks in a Windows XP Systems workgroup environment.” The NIST templates do not allow Power Users to be used.

Another warning concerns the reduced functionality users will experience if security managers implement NIST’s “High Security” template. In particular, it will “break legacy or other general-purpose applications.” As a result, “it should be only be used by the experienced security specialists and seasoned system administrators who understand the impact of implementing these strict requirements,” cautions NIST.

Link to the report:
http://csrc.nist.gov/itsec/guidance_WinXP.html

- - -

SSL VPNs with SAML Hit the Market

SSL VPNs, increasingly used by companies to offer employees Web-based access to critical corporate communications, could become a more-common fixture in the Web services and extranet space as well. The first SSL VPNs to incorporate SAML—the Security Assertion Markup Language standard—were released by Juniper Networks; the devices are called NetScreen Secure Access appliances.

SAML is a component of XML-based data exchange and a way to secure Web services. Many SSL VPN implementations already tie into a company’s access management or directory software—often Microsoft’s Active Directory or corporate LDAP servers—to authenticate users. Using the SSL VPN to also administer SAML gives security managers a potentially easy way to get SAML capabilities without dramatically increasing their time to administer it.

Many companies “need to centrally manage user security policies to drive down cost, enhance security, and increase control and visibility over their IT environments,” says Ken Sims, the vice president of marketing and business development for Oblix, an identity-based security vendor that works with Juniper.Expect the trend to continue. “Customers are evolving to using SSL VPNs for secure extranet access, and will look for this type of access management functionality,” notes Mark Bouchard, a META Group analyst. “It makes sense to have provisioning systems linked to SSL VPNs so enterprises can leverage efficiencies from their investments in unified directory products.”

Related Articles:

Communicator Unveils First Liberty Product
http://www.esj.com/news/article.asp?EditorialsID=403

Securing Web Services
http://esj.com/columns/article.asp?EditorialsID=96

Top Three Security Problems Remain Despite Increased Spending
http://info.101com.com/default.asp?id=5281