The Microsoft Windows XP SRR targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Sites are required to secure the Microsoft Windows XP operating system in accordance with DOD Directive 8500.1, Section 4.18. The checks in this document were developed from DISA and NSA guidelines specified in the above reference. Additionally, the review ensures the site has properly installed and implemented the Windows XP operating system and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on standards and requirements published by DISA in the Security Handbook and other DoD Policy and regulations. The results of the SRR scripts will coincide with the Windows XP SRR Checklist with the following: F- Finding, N/F- Not A Finding, N/A- Not Applicable, MR -Manual Review, or NR - Not Reviewed.
This document is designed to instruct the reviewer on how to assess XP Professional configurations in a Windows NT 4, Windows 2000, or Windows 2003 domain. In addition, the security settings recommended can also be used to configure Group Policy in a Windows 2000 or Windows 2003 Active Directory environment.
The Windows XP Security Checklist is composed of five major sections and five appendices:
- Section 1: This section contains summary information about the sections and appendices that comprise the Windows XP Security Checklist, and defines its scope. Supporting documents consulted are listed in this section.
- Section 2: This section is the matrix that allows the reviewer to document vulnerabilities discovered during the SRR process. The entries in this table, are mapped to procedures in Sections 3, and 5.
- Section 3: This section contains the administrative issues that are discussed between the reviewer and the System Administrator or the Information Systems Security Officer (IAO). The interview outlined in this section may be performed independent of the technical review discussed in Sections 4 and 5.
- Section 4: This section contains summary information for running the Gold Disk.
- Section 5: This section documents the procedures that instruct the reviewer on how to perform an SRR manually, and to interpret the program output for vulnerabilities. Each procedure maps to a PDI tabulated in Section 2.
- Appendix A: This appendix documents the allowed Access Control Lists (ACLs) for file and registry objects. The tables contained in this section are referenced in Sections 4 and 5.
- Appendix B: This appendix contains checks for IAVM compliance to be done against a Windows XP machine.
- Appendix C: This appendix provides information for the use of Microsoft tools for analyzing group policy.
- Appendix D: This appendix documents the procedures for creating assets and importing findings into VMS 6.0
- Appendix E: This appendix identifies Windows specific requirements from JTF-GNO CTOs.
The Access Control Lists (ACLs) on a system under review may differ from the recommendations specified in Appendix A. If the reviewed ACL is more restrictive, or if an equivalent user group is identified, there is no problem. If a specific application requires less restrictive settings, these must be documented with the site ISSO.
Developed for the DOD.
This document is intended for IAOs, SAs, IAMs, NSOs, and others who are responsible for the configuration, management, or support of information systems. It assumes that the reader has knowledge of the Windows XP operating system and is familiar with common computer terminology.
- Specialized Security-Limited Functionality (SSLF)
DOD Directive 8500.
It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.
Version 6, Release 1.34 - 25 April 2014
Version 6, Release 1.33 - 13 March 2014
Version 6, Release 1.32 - 24 January 2014
Version 6, Release 1.31 - 23 December 2013
Version 6, Release 1.30 - 25 October 2013
Version 6, Release 1.29 - 24 July 2013
Version 6, Release 1.28 - 1 April 2013
Version 6, Release 1.27 - 25 January 2013
Version 6, Release 1.26 - 27 July 2012
Version 6, Release 1.25 - 27 April 2012
Version 6, Release 1.24 - 24 January 2012
Version 6, Release 1.23 - 27 October 2011
Version 6, Release 1.22 - 29 July 2011
Promote to Final
Updated "Point of Contact" - 07 January 2015
Updated URL to reflect change to the DISA website - http --> https
moved to archive status - 4/15/19
NIST checklist record last modified on 04/15/2019