The Download Files: Windows XP Benchmark (v2.01) - consensus settings for Legacy, Enterprise, and Specialized security levels for Windows XP Professional SP1/SP2. Windows Server 2003 Domain Controllers (v1.2) - consensus settings for Legacy, Enterprise, and Specialized security levels for Windows Server 2003 Domain Controllers. Windows Server 2003 Member Servers (v1.2) - consensus settings for Legacy, Enterprise, and Specialized security levels for Windows Server 2003 Member Servers. Level-1 Benchmark for Windows 2000 (v1.2.2) - consensus minimum due care security configuration recommendations for Windows 2000 servers and workstations Level-2 Windows 2000 Professional Operating System Benchmark (v2.2.1) - security configuration recommendations beyond the minimum due care level for Windows 2000 workstations.  Level-2 Windows 2000 Server Operating System Benchmark (v2.2.1) - security configuration recommendations beyond the minimum due care level for Windows 2000 Servers. Level-1 Benchmark for Windows NT (v1.0.5) - consensus minimum due care security configuration recommendations for WinNT servers and workstations What are the Benchmarks and Scoring Tool? The Benchmarks are compilations of configuration actions and settings recommended to improve the security of Windows 2000, 2003, NT and XP operating systems. The Windows XP Professional and Windows Server 2003 Benchmarks: These benchmarks define multiple "levels" within one document. The levels are: Legacy: Settings in this level are designed for XP Professional/2003 Server systems that need to operate with older systems such as Windows NT, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system. Enterprise Standalone: Settings in this level are designed for XP Professional/Server 2003 systems operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended XP Professional technical controls. Enterprise Mobile: These settings are nearly identical to the Enterprise Standalone settings, but with modifications appropriate for mobile users whose systems must operate both on and away from the corporate network. In environments where all systems are Windows 2000 or later, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended XP Professional technical controls. Specialized Security - Limited functionality: Settings in this level are designed for XP Professional/2003 Server systems in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment. The Level-I Windows Benchmarks for NT and 2000 settings/actions: (the minimum level of due care) Can be understood and performed by system administrators with any level of security knowledge and experience, and applied to server or workstation operating systems. Are unlikely to cause an interruption of service to the operating system or the applications that run on it. can be automatically monitored either by CIS Scoring Tools or by CIS-certified tools available from CIS certified software vendors . The Level-2 Windows 2000 Professional and Server benchmarks: (prudent security beyond the minimum level) Should be applied only to Windows 2000 workstation and server operating systems. Contains some security configuration recommendations that affect operating system function, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to OS functions and software applications running in their particular environments. The CIS Scoring Tools provide a quick and easy way to evaluate systems and compare their level of security against the CIS minimum due care security Benchmark. Tool reports guide system administrators to harden both new installations and active production systems. The tool is also effective for monitoring systems to assure that security settings continuously conform with the Benchmark. Share Your Feedback We value your feedback, which may be used both to update the Level-1 Benchmark and to further define Level-II security configurations. CIS Level-II Benchmarks enhance security beyond the minimum due care level, based on specific network architecture and server function. Please direct your technical feedback to: The CIS Feedback Email Address Please direct other feedback to: Bert Miuccio, Vice President For more information about the CIS consensus process and the benchmarks, go to What are the Benchmarks? and FAQ - The Benchmarks. Updates to the Benchmarks and Scoring Tool CIS products are updated periodically. Continuous feedback from CIS Members and other users assures that the consensus standard of minimum due care is always reflected in the Level-I settings. A revision history for this benchmark can be found in the benchmark itself. One of the benefits of CIS Membership is electronic notification when updates become available. If your organization is not a member of The Center, visit this website periodically to assure that you are using the latest version of CIS products. Testimonials from our Members about The Center for Internet Security are available here.

© 2005, the Center for Internet Security.