Secure Configuration of Windows XP Desktops


This article can also be found in the Premium Editorial Download "Information Security magazine: Everything you need to know about today's information security trends."

Download it now to read this article plus other related content.

Although PCI DSS is an internationally applicable standard, most of the PCI DSS noise has been coming out of the U.S. That's no longer the case. Since late last year, there has been a significant increase in PCI awareness in the U.K. and parts of Europe. Some European countries still believe that the standard doesn't apply or is less important because of the use of a smart chip and PIN (personal identification number) in European credit cards. Chip and PIN does change the threat model, but not the PCI DSS requirement. Whether the PAN was read from a magnetic stripe, off of a smart chip, or typed into a Web form, the PAN protection requirements are the same.

Bob Russo, general manager of the PCI council, notes that organizations in some countries, like Japan, have spent a lot of time complying with security frameworks--such as the Information Security Man-agement Systems (ISMS) approach of ISO 27001 and 27002--and don't want to spend time complying with an additional standard. The card brands, along with the council, are working to raise awareness that DSS is not optional and not replaceable by any other certification work.

If an organization has been concentrating only on U.S. operations, it's time for it to start thinking globally and assessing all sites where card information is transacted. And

    Requires Free Membership to View

if you are using a compliance framework, consider mapping the controls and documentation in place to those needed for the PCI assessment. Many companies report that "careful compliance recycling" can reduce overhead when certifying to new and emerging standards.

PCI compliance may not be a simple art, but there are ways--like leveraging compliance frameworks--to make it simpler. There are a lot of rules and requirements for PCI, but the core goal is simple: protect credit cards on those digital "mean streets."

IN THE know

PCI Security Standards Council
Provides information on standards, QSAs and more.

PCI Knowledge Base
Offers tips from research community.

Includes list of validated payment applications.

5 BASIC steps to properly configure desktop security.

Since its release in 2001, Microsoft Windows XP has received sharp criticism for being insecure. Although the operating system has had its share of security problems, there are five important steps organizations can take to lock down Windows XP desktops and make them less vulnerable.

It's important to note that security is something that seems to get a little bit better with each new Windows operating system. Consequently, Windows XP offers some security features that are not supported by earlier versions of Windows such as Windows 95, 98, ME and NT 4.0. These steps assume that Windows XP will not be required to connect directly to an older version of the OS; some of the settings shown here may interfere with that. Therefore, if Windows XP is required to connect to legacy Windows operating systems, some security may have to be sacrificed in order to maintain connectivity.

These steps also assume that the workstations you are securing are running Windows XP with Service Pack 2 or higher (Microsoft released Service Pack 3 for Windows XP in May). Many of the security settings that will be discussed here were introduced in SP2.

data points

Microsoft releases Windows Server 2003 on April 24, 2003, the first major platform release since Redmond announced Trustworthy Computing. CEO Steve Ballmer stresses that "security has been a job one issue with our customers. It has really been an area of focus."

Service Pack 1, released on March 30, 2005, introduces the Server Configuration Wizard, which allows users to configure and edit policy settings, from services and ports to audits.

A Secunia study published Dec. 1, 2006 says "Windows Server 2003 is consistently lower risk than Red Hat ES 3 or Red Hat ES 4," largely based on total vulnerabilities and unpatched vulnerabilities.

Microsoft releases Service Pack 2 without notice on March 12, 2007. In addition to a number of fixes, SP2 includes a tool for testing hotfixes, support for Wi-Fi Protected Access 2, and firewall per port authentication.

Another Secunia report, based on 162 vulnerability advisories from 2003 to 2008, rates 4 percent of the vulnerabilities extremely critical, 37 percent highly critical, 30 percent moderately critical, 23 percent less critical and 6 percent not critical.

Windows Server 2008, released Feb. 27, is packed with security tools and features, including tight control over services, disk encryption, network access control and improved log management.

This was first published in July 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: