Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

NT4 awarded E3/F-C2 security classification

Posted by Hemos on Fri Apr 30, 1999 08:00 AM
from the no-i-wanna-be-admin dept.
Microsoft
An anonymous reader wrote in to say "Microsoft has announced that NT was awarded this security classification, equivalent to the US C2 security classification, under the ITSEC, the UK's IT Security Evalutaion Criteria. As with the NT 3.5 C2 rating, this doesn't include being connected to a network. This is interesting, given that any local user on NT 3.5 or above server or workstation can become a member of the administrators group, which is not a Good Thing for a secure system... "
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

NT4 awarded E3/F-C2 security classification 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • And we will get to read all kinds of great stories
    when the next great NT DOS attack, or blaring
    security hole is found and exploited on a DoD
    system. One thing I can count on MicroSoft doing
    is shooting itself in the foot in new and exciting
    ways that make me chuckle.

    ; )


  • Rebooting w/ a boot disk doesn't work on a C2-System, because floppy boot is disabled.

    Opening the case is a different thing.

    M$ even mentions this C2-thing as an advantage over Solaris - in a comparison about intranet-servers.
    (Sorry, can't remember the URL, somewhere at microsoft.com)


    There are rumors that on a C2-secured NT system you can't install new Software nor use the printer. Any confirmations?
  • Linux(Think it was RH5.1) has been evaluated as B1, OpenBSD2.2 as C1 and NetBSD(dunno the version) as B2. I don't know about FreeBSD though, someone here who do?

  • MS C2 Rating (Score:1)

    by Anonymous Coward
    Once more, MS spreads misinformation. The Orange Book (gov't security ratings/policy/procedures) specifies the rating requirements for a system implementation, not just the OS. A system includes all of the h/w and s/w as well as the environment. In simple terms, NT can't receive a security rating by itself.

    C2 isn't the lowest rating. C1 and D1 are lower and have fewer requirements.

    The C2 rating typically applies to networked multiuser systems. NT isn't multiuser so the partitioning and file protection requirements don't really apply.

  • NT cannot earn NSA NTSEC C2 (Score:1)

    by Anonymous Coward
    Windows NT 4 (or 2000 for that matter)cannot earn NSA NTSEC C2 or FIPS 140-1.

    http://www.nwfusion.com/news/1999/0222fips.html
  • I don't know about the WHOLE DoD, but I know the Air Force is moving almost exclusively to NT as far as workstations go. It's a scary, scary world.

  • Linux crushes OpenBSD (Score:1)

    by Anonymous Coward
    Eat this one Satan!!!
    http://www.compuniverse.com/rsbac/ [compuniverse.com]

    That is most of what Linux needs for real B1 security and a bit more. It includes Mandatory Access Control, various role-based controls, and other cool stuff.

  • Re:nt and c2 (Score:1)

    by Anonymous Coward
    Correct. The posix subsystem and the OS/2 subsystems have to be removed from the NT machine before it is C2 certified. This is usually done by using the C2 security manager that comes with the NT 4.0 Resource Kit. People should also realize the difference between redbook c2 and orangebook c2. Novell is redbook, which means it is C2 certified when connected to a network. This really has nothing to do with security but rather ways of configuring software.

    Other things you must do to NT to make it C2 certified include having all file systems NTFS(user level permissions on all files and directories), setting the NTloader with a wait time of 0, halt the system on a full security log, and not allowing the security log to be overwritten, and a login display message.

    There are some other parameters but this are the bigs ones.

  • Re: No Power Supply (Score:1)

    by Anonymous Coward
    Obviously, you have read the certification requirements for NT. 'The power cord must be removed from the system, and its receptacle in the computer case filled with epoxy resin. Only now can the NT system be considered marginally secure.'

    Isn't any computer pretty much secure if it isn't connected to a network (any network)?
  • It specifically says that each site has the ability to inspect the source code used in all components of the system. I wonder if M$ is going to allow a copy of the source code to be delivered to each site that applies for an E3/FC-2 rated system. Where I work has a security clearance, but we don't currently have any NT machines in the secure areas. I wonder what would happen if I asked for one :-)

  • "C2" and "security" (Score:3)

    by Anonymous Coward on Friday April 30 1999, @07:35AM (#1909133)
    C2 has never struck me as being so much about "security" as it is about "accountability".

    While I generally love to pick on Micros~1 products, I think we're picking on the wrong people-- the DoD and the UK ITSEC.

    The big reason NT is C2 rated is not because you can't break in (good thing-- you can!) -- it's because Administrator can't muck with your files without taking ownership of 'em himself. Or, well, that's what Micros~1 claims. :)

    So when your files get mucked with, you can tell, because they ain't your file anymore. And you know who owns it now (Administrator can't give 'em back, according to the docs), so you know who (or, well, which account...) did it.

    So yeah, NT probably _is_ C2 compliant. It's just that from a security standpoint, C2 doesn't mean diddly. That's not Micros~1's fault, that's the fault of our dain-bramaged government. The same folks who tell you that PGP is a munition.

    With so many idiots running around, it's hard to tell which is which...

  • Unethical to certify C2 (Score:3)

    by Anonymous Coward on Friday April 30 1999, @08:35AM (#1909134)
    Those `organizations' should stop certifying
    C2. It provides little value, and it misleads
    a lot of people into thinking their systems
    are secure.

    If they truly believe in their mission, it's
    immoral to be accomplices in such a scam.

  • C2? Ha! (Score:5)

    by Anonymous Coward on Friday April 30 1999, @07:55AM (#1909135)
    You can poop in a box and get it certified C2. There's no real heavy "security" involved beyond passwords and keeping people out of each other's stuff on the system.

    I went through B1 certification, and I'm telling you the people doing the certification didn't know what the heck they were doing. They had good intentions and everything, but they just didn't have it.

    The problem that I saw during our certification is that the kids they hire do the work just didn't have the background to do the work. There were a number of HUGE security holes (writing to the password file, in three different ways) that I found after the product was supposedly certified.

    The certification process is just busy work for people who want a rubber stamp on something to make them feel better. Just like that ISO 9000 junk.

  • C2 is the lowest security rating (Score:5)

    by Anonymous Coward on Friday April 30 1999, @07:58AM (#1909136)
    Basically, the C2 rating is about as low as you can go. Any *nix machines which are not connected to a network are automatically C2 rated.

    The rating talks about single user access, the ability to recognize when a document has been looked at or modified (atime and mtime file attributes), a logging/audit system to show what has happened on a system (syslog, sulog), and the ability for one user to not look at or modify another users files (chmod, chown, chgrp). There also has to be a way to physically secure the machine, hence no external communication devices (network or modem). It must be physically secured in a lockable room in a building which also meets certain physical access requirements (security guard and wearing badges).

    Thats it. Nothing special.

    But it took some work to make a special version of NT to meet this rating. Read the article, they talk about how the administrator cannot change the permissions of a file back to the original owner, that is the one thing they broke to get the rating.

    Anyone who actually has to buy equipment that is rated for Orange Book levels will not be impressed by this (most will laugh at it), but this was published by microso~1 PR and marketing to impress those who don't know anything about security. File this one under FUD.

    If you remove the network card and modem from your linux box, and ensure that every account has a password and turn on accounting, your box can also be declared C2 rated. I have a C2 rated room next door with a number of Slackware machines running standalone, with their little C2 certificates in a pouch on the side.
  • It's a little easier to secure a SUN console, as you can disable lots of stuff in the PROM and set a password... and you can't zap it with a jumper like you can on PCs...
  • The same would hold for Linux (i can boot of a floppy), DOS, MacOS, or any other OS that I know of.
  • Hmmm, I wonder if that was a specialized version of SCO Xenix. Seems unlikely, but I suppose it's possible.
  • Posted by fling93:

    I used to work for Gemini Computers (http://www.geminisecure.com), a small network security company that I recall had an A1-rated system. They needed to create it in a bunch of layers that could only call functions in the layer below, thus making it easier to evaluate.

    I also recall it was slow as heck, impossible to use (like users will really be able to remember randomly-generated passwords), and thus didn't really do a whole lot in terms of volume. :)
  • Somebody more qualified than me needs to look into this site. Please.

    http://www.sco.com/ and search for Linux. Also search for open source.

    Looks VERYYYY interesting. Level B1 security for Linux!? 141 documents.

    No, SCO's new CMW+ 3.0 is going to have a (predicted, I imagine) ITSEC F-B1 rating. I found the same thing whilst looking for linux (although, the words linux, and open source were never found in the page.....)

    -Erik-
  • LMAO! Thanks for the link. That Gerald is quite the fella!
  • You can secure any registry node - it simply follows the NT security rules. Whether it comes secure as default I don't know, but I didn't want you to continue believing that any user always has full access to the registry - it's not true.

    perl -e 'print scalar reverse q(\)-: ,hacker Perl another Just)'
  • AFAIK, B1, B2, and C1 are better than C2. The highest rating is A1, which I believe only one OS has managed to achieve it. In short, the higher the number or letter, the lower the security rating is.
  • Where do you think they test [flinders.edu.au] those ICBMs, anyhow?
  • Most of Microsoft's pages give that with lynx. Probably can't handle not being able to do Javascript :P
  • I tested it on an NT4 SP4 Workstation I have here. If you place the executable in a directory which you can write to (such as the desktop, or the many worls-writable directories mentioend above), it gives you membership of the local administrator group. Its then possible to use l0phtcrack [l0pht.com] to get the local administrator password, or to use the samba team's pwdump to get the list and run l0phtcrack offline. If its the same as the domain admin password.....
  • Well, the ITSEC webpage (which lists NT 4 as "In evaluation", notes that it is only evaluating NT, without SMS, Exchange, MSMail, RAS, and Clipboard Viewer. What does MS know about the clipboard that we don't...
  • ..."How in the heck did they get the 'rating' in the first place?" I'm pretty sure that they're not going to let that out of their hands any time soon.
  • You're not cleared to see that OS. ;)
  • I was told that in order to run even simple programs like Notepad and Paint, it was necessary for a user to have write access to the entire registry. Is this incorrect?

  • In NT 3.1 - 3.51, the video drivers ran in user space, not ring 0, which is where the kernel ran. Thus for every call to the video subsystem by GDI, there were two ring transitions on the Intel architecture. Realistically, the security concerns about moving the video driver from ring 3 to ring 0 are moot as user processes have less chance of directly talking to the hardware now.

    From a stability point of view, you have to worry about vendors rushing out new benchmark video drivers without adequate testing, but if you stick to the NT 4.0 supplied drivers or drivers that you know work fine, then stability from the video subsystem is not an issue.

  • for those of you claiming that NT doesn't support multiple users, you are wrong. NT has supported (but not supplied) multiple users since the first version of NT in 1993. NT was designed to be a multi-user operating system, it just never got the code to do it until Citrix et al came along. The underlying structure to support multiple desktops existed even in Win NT 3.1, using what are known as "stations".

    In NT 4.0, only one station is be visible, WinSta0. This has zero or more desktops associated with it. With WTS and Citrix, the number of stations is allowed to be more than one.

    When you log on there are three active desktops on the default station, the winlogin desktop (where you log in and the SAS dialog is presented), the screen saver desktop (even if not configured), the user desktop.

    NT doesn't really care where or how the stations are displayed, but NT is optimized for local display (unlike X), and the ICA or RDP shim is nearly all that was necessary to make it truly multi-user.

    In W2K Server, the multi-user stuff adds less than two or three megabytes to the base install.

    As W2K is current vapourware, other alternatives that exist today are "rconnect.exe" from the resource kit (ie nearly free, just as RH 6.0 is nearly free), which allows you to get a command prompt (equivalent to telnet, except that many programs are GUI) in your security context on a remote machine. There are a lot of remote control products, including VNC, pcAnywhere, Timbuktu, Remotely Possible, NetFinity Manager (comes free with IBM NetFinity servers), etc.

    The vast majority of NT 4.0 GUI tools and BackOffice tools can allow you to remotely administrate a box by connecting to remote machines via an RPC connection. So the lack of a direct desktop connection is moot. It's the old single tier vs client/server thing again. In NT 4.0, the only things you need the console for are adjusting disks (WinDisk.exe is not remotable) and adjusting the network (the Control panel is not remotable). In W2K both these "problems" are fixed, with the replacement MMC snapin for WinDisk.exe being remotable and the network stuff is scriptable by WSH and there are command line tools for _everything_. Also W2K Server and above come standard with WTS, so if you have the licenses, you can remotely control W2K from your desktop.

  • This (another worthless certification) and the recent Mindcraft Linux vs NT thing, seems to show how vulnerable Microsoft feels. I don't know if that fear is necessary, after all these years I'd say people will still prefer marketing skills over product quality, but it obviously exists.

  • Load Of Bollocks (Score:4)

    by Dagmar d'Surreal (5939) on Friday April 30 1999, @10:01AM (#1909160) Journal
    I can't believe that Microsoft has the balls to blatantly try to compare ITSEC to TCSEC, and then relate that to their product.

    Problem #1: Just because two grades of security are nearly equivalent, does not mean you can interpret that everything (or anything, actually) that applies towards one has the same meaning towards the other. You either have a C2 rating, or you don't have a C2 rating. I'm pretty sure that if I ran a computer store, and had a bunch of technicians who had graduated from the local community college specializing in desktop PC construction and repair, that I would be in the middle of a lawsuit if I tried to advertise that that was equivalent to an A+ Certification.

    Problem #2: On MicroSoft's blurb page, they list the certification level of NT 3.5. Who uses that anymore? What does it have to do with 4.0?

    Problem #3: Finally, the big issue is that the level of certification they claim to have reached is not just weakened, but completely invalid if the machine has a network card, modem, or other remote access device in it, or even something as simple as a floppy drive. What do people who would be attracted to this kind of jibber-jabber get NT for? So they can put their super-secret company resources on a network and have it be "safe".

    I have seen Microsoft do some lame things to try to make their product look like more than it really is, but this insults my intelligence as a professional.
  • Yeah... according to the docs you can't give ownership back.. with provided tools. If you know the API, you can throw together a program that'll become SYSTEM, then init a thread which will become the user you want and create an empty file with the original attributes. The original thread can open the file admin owns and pass the data to the new thread, which can write it to the file, close the file, *PewF* back to normal. Thats all assuming there isn't some easier way to just change the owner when your original thread is running as SYSTEM. Whew!


  • Previous propaganda on this issue mentioned two requirements which Linux apparently doesn't have - A SysRq key which puts the system in a secure mode (ctrl+alt+del on NT) and file and directory Access Control Lists.

    But then on the other hand, you've say you've got C2-certified Slackware boxes, so what do I know!
    --
  • On this stock NTS4 SP4 box the Run key is Everyone = Set Value, so mhm23x3's comment is probably correct for 80%+ of the NT boxes out there.

    This is a prime example of Microsoft's one-size-fits-all engineering. The marketing impulse to allow users (or ActiveX controls) to install things that pop into your system tray (like AOL IM or Real) or nag you for registration has outweighed even the most obvious security considerations.

    Certainly, this problem is easily fixed with Registry ACLs, but does the average NT Admin who has only read the glowing description of "C2 Security" in the MS manuals know that?

    --
  • So it's C2 when it's not connected to a network. But any system which you have physical access to is inheirently insecure (reboot w/ a boot disk, open up the box and remove the hdd, and so on). Maybe it's just me but this kinda seems like a bit of an oxymoron. Why not remove the monitor and keyboard too while your at it? Hey, remove the power cord, and lock the box in a safe. Then no one will be able to hack it.
  • I know that C2 doesn't mean much, but could you publish publicly this info that you have a bunch of standard slackware Linux boxes that have a C2 rating? It would be nice publicity for Linux, especially for those who have no idea what any of C2 security means.

  • Paraphrased from "Operating Systems Concepts", the dinosaur book (5th ed.), there are four divisions of security model and several levels of each division. In order of increasing security they are:

    • D = doesn't meet the requirements of the other three divisions. MS-DOS and Windows 3.1.
    • C1 = some form of group permissions. This includes most Unices.
    • C2 = C1 plus individual permissions too. Some more highly-secured Unices have been certified C2.
    • B1 = C2 plus sensitivity labels on objects for hierarchical security. Thus if a user is level secret, they can access all objects at their level or below if they have permissions to it. Also processes are isolated in distinct address spaces.
    • B2 = B1 plus extends the sensitivity labels to each system resource (devices). Also includes covert channels and auditing on those channels.
    • B3 = B2 plus access control lists and monitoring for any violations of security policy.
    • A1 = equivalent to a B3 system, but is written using formal design and verification techniques to make sure that you haven't left any security bugs in the B3 implementation. A system above level A1 might have been created this way by trusted personnel at a trusted location.

    As other posters have noted, you can't certify an operating system, just a particular installation of that OS on specified hardware at a particular site. So realistically the highest NT or Linux could be certified would be B3, and even that would require a lot of additions to the base system. Don't hold your breath.

  • You can lock users out of the registry, but creating a .reg file and merging it will do the same if you know the syntax. Additionally, you could put anything you want in the startup group and power-cycle it, make changes to the autoexec.bat/autoexec.nt, boot from a dosntfs floppy (if ntfs is enabled), or there's the getadmin exploit.

    NTFS - not that f**kin' secure.....
  • The topic of NT's C2 certification comes up on InfoWorld [infoworld.com] from time to time. Nick Petreley wrote an editorial [infoworld.com] and hosted a discussion forum [infoworld.com] about this in July 1998.

    To summarize, MS obtained a C2 certification for NT3.5 SP3 on a stand alone system (no network connection) running specifically on a Compaq Proliant 2000 or 4000, or a DECpc AXP/150. They did this using the services of a security specialist named Ed Curry, who was a regular poster to the InfoWorld forums. Afterwards he contended that they misrepresented the status of the certification and tried to get him to do the same. He refused and they allegedly forced him out of business.

    He posted regularly about his ongoing fight with MS until his death [infoworld.com] a month ago.
  • NT 3.51 (or was it 3.5) was C2 secure, it was only a matter of time before NT4 would be. And lets get a few things straight:

    No OS can be C2 secure.
    Only individual Systems can.

    That's right. All that this rating means is that you can make it C2 secure out of the box as long as you follow certain restrictions on usage (locked room with limited access, no connection to a non-secure network). This is not the same as saying the OS itself is C2 secure. For example, if you plug in into a network and you are no longer Orange Box C2 secure. And there are other levels of C2 security, at least one allows you to connect to a secure network. I don't know how they certify networks beyond the fact that every machine must be accredited and that there are no connections to any other networks.

    There are many OS's out there that aren't C2 secure out of the box, but can be if you make changes. NT4 is still like this in the US. Where I am at, there is an NT4 workstation in a secure area that is Accredited for Secret data. At first I thought someone made a mistake, but then I learned a little about the accredidation process and it turns out that there is a list of procedures on how to get it to pass certification.

    Similarly, you can take a OS that is supposedly C2 secure and make it not C2 secure (by installing a modem, for example). C2 can only certify individual systems, it isn't a blanket statement that the OS itself is secure. As far as I know, there is no such blanket statement (but I'm not familiar with the B* security ratings, so it might exist).


  • NT is average (Score:5)

    by Versalis (29051) on Friday April 30 1999, @09:54AM (#1909195)
    This is really not a very good rating, just average.

    C2 equates to 'CONTROLLED ACCESS PROTECTION'. All your software really needs to do to get this classification is require a user login, auditing of security events (read logging), and restricted resources. It doesn't require the system to actually STOP unauthorized activity.

    The rating system is as follows:

    A1 'VERIFIED DESIGN'
    B3 'SECURITY DOMAINS'
    B2 'STRUCTURED PROTECTION'
    B1 'LABELED SECURITY PROTECTION'
    C2 'CONTROLLED ACCESS PROTECTION'
    C1 'DISCRETIONARY ACCESS PROTECTION'
    'MINIMAL PROTECTION'

    Notice NT's not very high in the list, of course few things are.

    At http://www.radium.ncsc.mil/tpep/epl/epl-by-class.h tml you can read some brief info on these classifications. If you want info coming out the whazoo on this kind of thing browse around http://www.radium.ncsc.mil/
  • It's pretty simple when any user can access and change the registry. Just put an entry in HKEY_Local_Machine/Software/Microsoft/Windows/Curr ent_version/Run - You can run whatever you want at startup, regardless of user privledge.

    First time I leared this, my mouth just dropped wide open.

  • I don't know if you noticed guys. But the only version they certified were 3.51. NOT 4.0

    I found it very interesting, because Microsoft is >AUTOMATICALLY assuming that this rating carries to the new version when it doesn't. The paperwork states pretty plainly that it's only certified on the hardware tested, et. al.

    Typical Microsoft Bullshit.

    FYI, by the book 3.51 is slightly more secure becuase of the way the video subsystem was coded. Running at Ring 0, and all that. But a quick look on any of the security oriented sites shows that pretty much all of the major holes that exist in 4.0 exist in 3.51 so...

    Honestly? It makes you wonder what type of smack they were using when they performed the test.
  • Everyone knows that a C2 security rating is low on the list. But frankly, Micro$oft has taken the time (and money) to do something that other vendors should also do.

    How many of you think that a "Network Certification" (CNA, CNE, MCP, MCSE) reallly means anything? It is no guarantee to an employer, but it is helpful to a job applicant that needs an edge to stand out from the rest of the crowd! Likewise, Micro$oft has excelled at what it does best: Great PR! C2 Certification doesn't merit much technical praise, but its goal is not to impress technicians! When the procurement agent for a large organization has to shell out hundreds of thousands of dollars on OS software, which is easier to justify to the Pointy Haired Bosses? One with a "NSA Level C2 Security Rating" or one without it?

    Not all OSes are created equal. NT certainly has a ton of weaknesses right out of the box. But so does every distribution of Linux, as well as every flavor of Unix (except specially modified versions known as "secure" or "trusted" UNIX). The common versions of Unix that populate most business and educational organizations are NOT the secure versions offered by their vendors. That is why they can be hacked so easily! But why didn't IBM release "Trusted OS/2 Warp 4"? And where is VA Research "Trusted Linux 9.0"? When will we see Dell/Red Hat's "Trusted Linux 7.0"? Although a C2 security rating isn't the greatest, it is NOT that easy to achieve! Or else, other OSes would be rated, too.

    However, a C2-rated box is different from a reliable network. Regardless of the OS, what makes a network great is the work of a great administrator! I have happy customers running Linux and NT boxes. They smile, not because of the vendor's promises, but because of the knowledge I applied to their individual networks.

    Work to make Linux better, including "C2 Certification", if needed! Don't waste time responding to every Micro$oft press release!
  • Another thing everyone must realize is that there is really no such thing as saying a piece of hardware or software is C2 ccertified. It is capable of receiving a C2 certification, meaning that if the entire system (hardware and software)is installed correctly and configured correctly to the C2 standards it can receive a C2 certification. A C2 certification is only awarded on an installed system of both hardware and software. Its certification is based on the physical installation itself rather than some inherent capability of a piece of hardware or software. So, if the entire system is not installed in its final location and completly setup it cannot be C2 certified.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.