Win 2000 security benchmarks released

A group of private sector organizations and government agencies will release Wednesday a new benchmark testing tool designed to let users and administrators more easily configure security settings on their Microsoft Corp. Windows 2000 systems.

The benchmark, which has been agreed upon by the Center for Internet Security, the SANS Institute, the U.S. General Services Administration, the President’s Critical Infrastructure Protection Board, the U.S. National Security Agency and the National Institute of Standards and Technology, is designed to give companies and users a clear standard for achieving a baseline level of security in their Windows 2000 systems, said Clint Kreitner, president and chief executive officer of Center for Internet Security, located in Bethesda, Maryland.

The benchmark, which will be unveiled at an afternoon press conference in Washington, D.C., will “provide users with the confidence that these settings are widely-agreed upon by security experts,” he said.

As most operating systems ship from their vendors with security settings turned off by default, users need a guide in how to securely configure their Windows 2000 systems since they often don’t know what to do, he said. The benchmark provides such a guide, backed by the combined security expertise of the organizations that worked to create it, he said.

Users will be able to easily check the configuration of their systems by downloading a tool from the Center for Internet Security’s Web site that performs hundreds of configuration checks and then reports back to the user with a score signifying their level of compliance with the standard, he said.

“The tool really is the key because it gives you a score” to measure by and work from, he added.

Beyond simply helping companies — which Kreitner believes will be the heaviest users of the tool — and individual users maintain secure configurations, the tool can also help vendors create new default security settings in their products to ensure better protection, he said.

The Center for Internet Security already provides benchmarks and tools for a number of platforms including Unix operating systems and Cisco Systems Inc. routers, he said. Future benchmarks will be created to cover Check Point Software Technologies Ltd. firewalls, Cisco Pix firewalls, Solaris, Apache and IIS (Internet Information Services) Web servers, Oracle Corp. databases and more, he said.

Cooperation between the groups has been relatively smooth, with the Windows 2000 benchmark being completed in about two months, Kreitner said.

“Everybody realizes there’s a common good here,” he said.

The benchmarks and configuration checking tools are available for free on the Center for Internet Security’s Web site,

The new Windows 2000 tool will be made available on the site later Wednesday.