Skip the navigation

Security benchmarks being released for Windows 2000

By Todd R. Weiss
July 17, 2002 12:00 PM ET

Computerworld - To help companies create a first line of defense for their Windows 2000 Professional workstations, a group of security and government agencies is releasing a set of baseline security settings that can be used as a starting point to protect corporate IT systems.
In an announcement scheduled for later today in Washington, the agencies plan to provide the baseline settings for free to help companies set up at least minimal protection in their networks to stop cyberattacks by intruders.
The baseline settings are a joint project of the National Institute of Standards and Technology, the Defense Information Systems Agency, the National Security Agency, the General Services Administration, The SANS Institute and the Center for Internet Security (CIS), which undertook the work to address security concerns in network IT systems. Microsoft Corp. reviewed the draft standards as part of the project.
Clint Kreitner, president and CEO of Bethesda, Md.-based CIS, said the agencies completed the minimum standards in two months by working collaboratively and agreeing on the most critical areas in need of improved security in Windows 2000 Professional workstation.
"We were able to agree on several hundred security actions" for the operating system, he said. The key reason the standards are necessary, he said, is because hardware vendors typically ship computers with all security features turned off, leaving IT departments and users responsible for ensuring their own security. And because IT departments and users are typically overwhelmed by other work, even the most minimal of security settings are often overlooked, he said.
The groups plan to release today a report that details the initial security changes that should be set up, and will provide a software download to allow IT departments to check the status of their systems against a security benchmark. The software will score the results of the security scan on a scale from 1 to 10, telling users what's needed to improve protection from attacks.
A 10 is a top score on the test, but "that's only a baseline setting," Kreitner said. The test will allow users to check their systems from a reasonable starting point, then add further protections as needed. "We're trying to make it easier for them," he said.
The CIS offers many similar security benchmarks for other operating systems and for network routers on its Web site, and will continue to release others in the future as it pursues its goal of improving network security.
Richard Clarke, special advisor to President Bush on cyberspace security, said in a statement that the group's work "is an example of a public-private partnership that can help government agencies and corporations better secure their systems against cyberattack."
By using these recommended baseline security settings, the group hopes that computer hardware makers will begin shipping Windows 2000 Professional systems with a basic level of security in place before they are delivered to customers.
Scott Charney, chief security strategist at Microsoft, said his company will work with the group on future security projects.




Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies