Background.The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software,
data, information, suggestions, ideas, and other services and materials from the CIS
website or elsewhere (“Products”) as a public service to Internet users worldwide.
Recommendations contained in the Products (“Recommendations”) result from a
consensus-building process that involves many security experts and are generally generic
in nature. The Recommendations are intended to provide helpful information to
organizations attempting to evaluate or improve the security of their networks, systems,
and devices. Proper use of the Recommendations requires careful analysis and
adaptation to specific user requirements. The Recommendations are not in any way
intended to be a “quick fix” for anyone’s information security needs.
No Representations, Warranties, or Covenants.
CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive
or negative effect of the Products or the Recommendations on the operation or the
security of any particular network, computer system, network device, software, hardware,
or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or
completeness of the Products or the Recommendations. CIS is providing the Products
and the Recommendations “as is” and “as available” without representations, warranties,
or covenants of any kind.
By using the Products and/or the Recommendations, I and/or my organization (“We”)
agree and acknowledge that:
1. No network, system, device, hardware, software, or component can be made fully
2. We are using the Products and the Recommendations solely at our own risk;
3. We are not compensating CIS to assume any liabilities associated with our use of
the Products or the Recommendations, even risks that result from CIS’s
negligence or failure to perform;
4. We have the sole responsibility to evaluate the risks and benefits of the Products
and Recommendations to us and to adapt the Products and the Recommendations
to our particular circumstances and requirements;
5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make
any corrections, updates, upgrades, or bug fixes; or to notify us of the need for
any such corrections, updates, upgrades, or bug fixes; and
6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever
(whether based in contract, tort, strict liability or otherwise) for any direct,
indirect, incidental, consequential, or special damages (including without
limitation loss of profits, loss of sales, loss of or damage to reputation, loss of
customers, loss of software, data, information or emails, loss of privacy, loss of
use of any computer or other equipment, business interruption, wasted
management or other staff resources or claims of any kind against us from third
parties) arising out of or in any way connected with our use of or our inability to
use any of the Products or Recommendations (even if CIS has been advised of the
possibility of such damages), including without limitation any liability associated
with infringement of intellectual property, defects, bugs, errors, omissions,
viruses, worms, backdoors, Trojan horses or other harmful items.
Grant of Limited Rights.
CIS hereby grants each user the following rights, but only so long as the user complies
1. Except to the extent that we may have received additional authorization pursuant
to a written agreement with CIS, each user may download, install and use each of
the Products on a single computer;
2. Each user may print one or more copies of any Product or any component of a
Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such
copies are printed in full and are kept intact, including without limitation the text
Retention of Intellectual Property Rights; Limitations on Distribution.
The Products are protected by copyright and other intellectual property laws and by
international treaties. We acknowledge and agree that we are not acquiring title to any
intellectual property rights in the Products and that full title and all ownership rights to
the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all
rights not expressly granted to users in the preceding section entitled “Grant of limited
Subject to the paragraph entitled “Special Rules” (which includes a waiver, granted to
some classes of CIS Members, of certain limitations in this paragraph), and except as we
may have otherwise agreed in a written agreement with CIS, we agree that we will not (i)
decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code
for any software Product that is not already in the form of source code; (ii) distribute,
redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise transfer or exploit
rights to any Product or any component of a Product; (iii) post any Product or any
component of a Product on any website, bulletin board, ftp server, newsgroup, or other
similar mechanism or device, without regard to whether such mechanism or device is
internal or external, (iv) remove or alter trademark, logo, copyright or other proprietary
notices, legends, symbols or labels in any Product or any component of a Product; (v)
appear in, any Product or any component of a Product; (vi) use any Product or any
component of a Product with any derivative works based directly on a Product or any
component of a Product; (vii) use any Product or any component of a Product with other
products or applications that are directly and specifically dependent on such Product or
any component for any part of their functionality, or (viii) represent or claim a particular
level of compliance with a CIS Benchmark, scoring tool or other Product. We will not
facilitate or otherwise aid other individuals or entities in any of the activities listed in this
We hereby agree to indemnify, defend, and hold CIS and all of its officers, directors,
members, contributors, employees, authors, developers, agents, affiliates, licensors,
information and service providers, software suppliers, hardware suppliers, and all other
persons who aided CIS in the creation, development, or maintenance of the Products or
Recommendations (“CIS Parties”) harmless from and against any and all liability,
losses, costs, and expenses (including attorneys' fees and court costs) incurred by CIS or
any CIS Party in connection with any claim arising out of any violation by us of the
preceding paragraph, including without limitation CIS’s right, at our expense, to assume
the exclusive defense and control of any matter subject to this indemnification, and in
such case, we agree to cooperate with CIS in its defense of such claim. We further agree
that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed
The distribution of the NSA Security Recommendations is subject to the terms of the
NSA Legal Notice and the terms contained in the NSA Security Recommendations
CIS has created and will from time to time create, special rules for its members and for
other persons and organizations with which CIS has a written contractual relationship.
to the users who are covered by the special rules.
CIS hereby grants each CIS Security Consulting or Software Vendor Member and each
CIS Organizational User Member, but only so long as such Member remains in good
right to distribute the Products and Recommendations within such Member’s own
organization, whether by manual or electronic means. Each such Member acknowledges
and agrees that the foregoing grant is subject to the terms of such Member’s membership
arrangement with CIS and may, therefore, be modified or terminated by CIS at any time.
Choice of Law; Jurisdiction; Venue
construed in accordance with the laws of the State of Maryland, that any action at law or
courts located in the State of Maryland, that we hereby consent and submit to the
personal jurisdiction of such courts for the purposes of litigating any such action. If any
unenforceable, then such terms shall be deemed severable and shall not affect the validity
and enforceability of any remaining provisions.
WE ACKNOWLEDGE THAT WE HAVE READ THESE AGREED TERMS OF
USE IN THEIR ENTIRETY, UNDERSTAND THEM, AND WE AGREE TO BE
BOUND BY THEM IN ALL RESPECTS.
Quick Start InstructionsJust a few years ago, it was almost impossible to find a reliable source for Windows
security. Since then, the momentum has shifted in the opposite direction – there is a wealth
of information available. Now the questions are, “Which published source do I trust as
authoritative? What should MY standard be?”
One side-effect of this wealth of information available is that there are local
computer security experts who want to toss the documentation aside, and apply the
standards. I have one piece of advice before you go and do that:
IF YOU ONLY READ ONE PAGE IN THIS GUIDE, READ THIS PAGE!
This guide imposes changes that are best implemented in a managed environment.
They are designed to limit communication between computers to positively identified and
authorized personnel. This is a change from the normal way of thinking in a Windows
world. Major systems should still function, but testing this benchmark in a controlled
environment is essential.
I want to run the tool now!
It is understandable to want to “hit the ground running”. If you want to run the
accompanying tool this very minute, go ahead and do so. Please look through the
accompanying “Readme.txt” file. The tool is designed to measure the status of your
system against a standard, and score it accordingly. The tool will not make changes to the
security settings on your system, except that it must be installed as an application.
For The Seasoned Security Professional
More and more Windows support personnel are becoming familiar with the
intricacies of Windows security. Microsoft itself has stated an organizational shift of its
priorities away from ease-of-use toward security awareness.
Section 1 of this guide is a summary checklist of the configuration settings that
constitute a Windows XP Professional compliant computer system. It is brief and to the
point. Appendix A is a questionnaire that can be used to put the trade-offs into perspective
for each of the settings involved.
For the Windows User Seeking Enlightenment
Computer and network security is a difficult topic to summarize. Many of the
features that are enabled “out of the box” on a Windows computer are enabled “in case” the
prospective owner wants to use them. Most of these features never get used, but often still
have vulnerabilities that can be exploited by unscrupulous people.
Section 2 of this guide is written to provide contextual descriptions of each
requirement for this benchmark. It gives plain-text details of what the setting means, why
it is restricted, and what the consequences of restricting that setting may be. It covers the
same information as Section 1, in greater detail. You should still use the questionnaire in
Appendix A to explore some of the trade-offs of implementing these settings.
Windows XP Professional Benchmark
Consensus Baseline Security Settings
This document is a security benchmark for the Microsoft Windows XP Professional
operating system for workstations. It reflects the content of the Consensus Baseline
Security Settings document developed by the National Security Agency (NSA), the
Defense Information Systems Agency (DISA), The National Institute of Standards and
Technology (NIST), the General Services Administration (GSA), The SANS Institute, and
the staff and members of the Center for Internet Security (CIS).
Intended AudienceThis benchmark is intended for anyone using a Windows XP Professional operating
system who feels at all responsible for the security of that system. A Security Manager or
Information Security Officer should certainly be able to use this guide and the associated
tools to gather information about the security status of a network of Windows machines.
The owner of a small business or home office can use this guide as a straightforward aid in
enhancing his or her own personal network security. A Windows System Administrator
can use this guide and the associated tools to produce explicit scores that can be given to
management to reflect where they currently stand, versus where they should stand with
regard to security.
Any user who uses this guide to make even the slightest improvement on the secure
state of a system might be doing just enough to turn a potential hacker or cracker away to
an easier target. Every computer operator who becomes “Security Aware” improves the
safety level of the Internet.
Practical ApplicationJust as there is often no single correct way to get to a specific destination, there is
more than one way to implement the settings and suggestions described in this text. In a
network environment, with a Windows 2000 or Windows 2003 Active Directory Domain,
Group Policy can be used to apply nearly all the settings described herein. Many surveys
of Fortune 500 or Fortune 1000 companies have indicated that large companies have been
slow to migrate to Active Directory because of the level of complexity involved, but the
lack of continued support for Windows NT 4.0 Domains is fueling the migration process.
Once an infrastructure has been implemented to support an Active Directory domain,
implementing most of these policies with Group Policy becomes relatively easy.
In an environment where Active Directory isn’t in use, administrators and users are
forced to use the Local Security Policy editor of individual Member Servers and
Workstations to lock down their environment.
The information contained in this text applies equally well to Local Security
Policies and to Group Policies. In a large domain infrastructure, Group Policy can (and
should) be set to override the Local Security Policy. Anyone attempting to make
modifications to the Local Security Policy which seem to “mysteriously disappear” should
contact their system administrator or their management to see if Group Policy may be
overriding their changes.
The actions required to “harden” a Windows operating system will be described in
terms of updating the Local Security Policy. The Local Security Policy Editor, as well as
many other tools used herein, is located in the Administrative Tools menu. In some cases,
clicking the Start button, and then looking under Programs will be enough. Otherwise,
click Start, Settings, and open the Control Panel. Double-click the Administrative Tools
icon in the Control Panel to find the Local Security Policy Editor.
Keeping ScoreThe goal of every benchmark and the associated scoring tools is to give users a
point-in-time view of where systems stand in relation to the currently accepted standard.
This “score” produced by the scoring tool is a number between 0 and 100.
The criteria used for scoring are divided into five categories: (1) Service Packs and
Security Updates, (2) Auditing and Account Policies, (3) Security Settings, (4) Additional
Security Protection, and (5) Administrative Templates. Additional applications or Services
may detract from the overall score, just as additional services detract from the security of
these systems in the production environment.
Security LevelsOne question that needs to be considered when securing computers is “How secure
should they be?” Often people assume that the highest level of security is best, but it is
important to remember that often, a vulnerability is defended by disabling some
functionality. The use of this function may be more important to the usefulness of the
computer than defending against the vulnerability.
In response to this, CIS is publishing three different levels of guidance.
Legacy - Settings in this level are designed for XP Professional systems that need to
operate with older systems such as Windows NT, or in environments where older third
party applications are required. The settings will not affect the function or performance of
the operating system or of applications that are running on the system.
Enterprise Desktop - Settings in this level are designed for XP Professional systems
operating in a managed environment where interoperability with legacy systems is not
required. It assumes that all operating systems within the enterprise are Windows 2000 or
later, therefore able to use all possible security features available within those systems. In
such environments, these Enterprise-level settings are not likely to affect the function or
performance of the OS. However, one should carefully consider the possible impact to
software applications when applying these recommended XP Professional technical
Enterprise Mobile - These settings are nearly identical to the Enterprise Standalone
settings, but with modifications appropriate for mobile users whose systems must operate
both on and away from the corporate network. In environments where all systems are
Windows 2000 or later, these Enterprise-level settings are not likely to affect the function
or performance of the OS. However, one should carefully consider the possible impact to
software applications when applying these recommended XP Professional technical
Specialized Security – Limited Functionality – Formerly known as “High Security,”
settings in this level are designed for XP Professional systems in which security and
integrity are the highest priorities, even at the expense of functionality, performance, and
interoperability. Therefore, each setting should be considered carefully and only applied by
an experienced administrator who has a thorough understanding of the potential impact of
each setting or action in a particular environment.