Inside Tufts

University Information Technology

Information Security

Best Practices and Standards for Windows

Windows 2000 and Windows XP Pro desktops are powerful multi-user operating systems. Securing these operating systems as well as Windows servers is a complex and ongoing process. The following links point to baseline industry standards for protecting data at Tufts.

  1. Secure your server/ workstation before placing it on the network. System Admins at Tufts reported their computers hacked within 5 minutes if not secured.
    • Read, select and apply a template and security measures from the standards listed below.
    • Patch it so that you won't catch the next Trojan.
    • Back it up and practice recovering.
    • Now you can put it on the network.
  2. Install Tufts supported antivirus software.
  3. Install only needed applications and network services securely. Change all default passwords. Get and apply Microsoft Office Patches.
  4. Monitor logs and security resource sites/lists
  5. Test updates and security patches, then roll them out as quickly as possible. Windows 2000 is at SP4, and Windows XP is at SP2. If you are running an IIS web server, plan time for monthly patching.
  6. Keep your Emergency Repair Disks, images or recovery tools up-to-date.
Security Standards
As a member of EDUCAUSE, Tufts has access to the Center for Internet Security (CIS) benchmark security templates which may be applied using a Group Policy Object (GPO) for computers in a Microsoft domain. Alternately, one can apply a template to a standalone computer using the MMC console. These are the security standards that have been adopted by the National Institute of Standards (NIST) and are referred to as the "Gold Standard". The Level 1 templates are the "consensus minimum due care security configuration" recommndations and provide the basis for the Tufts Microsoft LAN GPO default security.
* CIS Benchmark (the "Gold Standard") for Windows XP Pro, Windows 2000 Pro, Windows 2003 Servers, Server 2003 Domain and Server 2003 Member Server.
* NIST provides variations of the Gold Standard adapted for Netscape and Mozilla for Windows XP Pro as well as *.inf files which can be imported using the MMC console for standalone hosts.
* If you're interested in customizing the templates, the SANS Step-by-Step Guide to Windows 2000 Security, available to users on the Tufts LAN only, is a good starting point to understand the details of Windows security for servers or workstations.
Microsoft Best Practices
Windows XP Security Guide including variants for enterprise clients, stand-alone and specialized hosts.
Improve the safety of your browsing and e-mail activities.
Seven ways to protect your laptop on the road
Security Guidance Center
Federal and well known security checklists
NIST Security Configuration Checklists Repository by Vendor
NSA's Windows XP Pro Guides include *.inf files as well and configuration guides.
Windows XP Security Checklist from LabMice