Last week, I found an interesting document from the NIST (National Institute os Standards and Technology) titled Guidance for Securing Microsoft Windows XP for IT Professionals: A NIST Configuration Checklist (PDF version). It's an interesting read - they cover a lot of ground, and it is aimed at XP Pro boxes living used in business environments (they do cover small home-based business PC's as well as large enterprise installations, so it's fairly wide ranging).
A while ago, I remember working on a document that gave XPE specific commentary on some whitepapers that covered XP Pro. The whitepapers came from MS, and the document I provided was fairly light - it said, here's the doc on XP Pro, and here's how this works on XPE (unfortunately, the doc isn't on our web site, but there is a collection of security documents available). So in that spirit, I want to write a similar XPE based document that covers some of the NIST recommendations. I'll be pitching the doc to the team later this month, but I wanted to list some of my thoughts here.
First, the document covers XP Pro SP1, and doesn't cover SP2 security features in the main document (it does cover them in Appendix B, but covers the Beta version).
Second, since the NIST doc is aimed at IT pros managing XP Pro systems in an enterprise environment, some of the security recommendations won't fly depending on your device environment. Stuff like Active Directory, group policies, automatic updates, and account policies are a "use 'em if you got 'em" proposition for most embedded developers.
Third, because the doc is aimed at securing Pro devices, most of the recommendations cover how to change settings in the UI. One of the challenges I'm going to have is mapping the UI they provide to component settings or registry keys you can tweak.
Lastly, the document is very complete - it 147 pages of tight text and specific recommendations. While I'm not a fan of government documents in general, this one is fairly well done - I don't think it would be much lighter had it come as a single document from us.
I like this document - it covers a lot of ground, doesn't waste a lot of time, and brings together a bunch of key security concepts along with some practical advice as well as samples. If you haven't read it yet, get it and read it. And if you have to print it, go with double-sided four pages per sheet - it is long.