NIST document on securing Windows XP

Last week, I found an interesting document from the NIST (National Institute os Standards and Technology) titled Guidance for Securing Microsoft Windows XP for IT Professionals: A NIST Configuration Checklist (PDF version).  It's an interesting read - they cover a lot of ground, and it is aimed at XP Pro boxes living used in business environments (they do cover small home-based business PC's as well as large enterprise installations, so it's fairly wide ranging).

A while ago, I remember working on a document that gave XPE specific commentary on some whitepapers that covered XP Pro.  The whitepapers came from MS, and the document I provided was fairly light - it said, here's the doc on XP Pro, and here's how this works on XPE (unfortunately, the doc isn't on our web site, but there is a collection of security documents available).  So in that spirit, I want to write a similar XPE based document that covers some of the NIST recommendations.  I'll be pitching the doc to the team later this month, but I wanted to list some of my thoughts here.

First, the document covers XP Pro SP1, and doesn't cover SP2 security features in the main document (it does cover them in Appendix B, but covers the Beta version).

Second, since the NIST doc is aimed at IT pros managing XP Pro systems in an enterprise environment, some of the security recommendations won't fly depending on your device environment.  Stuff like Active Directory, group policies, automatic updates, and account policies are a "use 'em if you got 'em" proposition for most embedded developers.

Third, because the doc is aimed at securing Pro devices, most of the recommendations cover how to change settings in the UI.  One of the challenges I'm going to have is mapping the UI they provide to component settings or registry keys you can tweak.

Lastly, the document is very complete - it 147 pages of tight text and specific recommendations.  While I'm not a fan of government documents in general, this one is fairly well done - I don't think it would be much lighter had it come as a single document from us.

I like this document - it covers a lot of ground, doesn't waste a lot of time, and brings together a bunch of key security concepts along with some practical advice as well as samples.  If you haven't read it yet, get it and read it.  And if you have to print it, go with double-sided four pages per sheet - it is long.

Brad Coombs webcast on Wednesday

July 14, 11:00am PDT, you'll want to go to the MSDN Webcast site for a webcast by Embedded MVP Brad Coombs (host and owner of XPE Files) for a talk on Windows XP Embedded.  I'll be there listening to him, and you should be too, especially if you're not quite sure if XPE is right for you.

Testing BlogJet

I have installed an interesting application - BlogJet. It's a cool Windows client for my blog tool (as well as for other tools). Get your copy here: http://blogjet.com

"Computers are useless. They can only give you answers." -- Pablo Picasso

Goodbye to Devcon

Well Devcon is almost over - it's the last day of the conference, and not much is happening. I was able to review my speaker stats for the two labs and the session I gave - not bad, all around a 7 of out of 9 rating. The docs for these labs and sessions will be available at some point in the future - as soon as I know where they are, I'll let everyone know.

All in all, it was a good show. I was pleased that my labs and sessions went well. I was even more pleased when I winged in an addition to the SP2 lab, adding a Bluetooth demo to the lab on the fly - it worked flawlessly. I like Bluetooth, and will be buying myself some Bluetooth HID devices in the near future (soon as I can find a BT Natural keyboard).

I was able to attend a couple of other labs and sessions as well - Joe Morris' lab on patch management went over well, and Sean Liming's labs drew big crowds and delivered. We went to dinner last night and by the time we got back to the hotel, the big Beach Bash party was already over (well, not over, but they were closing the bar, so it was coughing up blood). We headed back to the Gaslight district and hit a dance bar, but I called it an early night - I'm way too old to be dancing like that. I'll try to post some pics of the conference and San Diego over the weekend - got some pics of the MS crew here, as well as some of our MVP's (Mr. Vorchak looks a lot scarier in person than he does in the pictures...)