Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

NT4 awarded E3/F-C2 security classification 127

An anonymous reader wrote in to say "Microsoft has announced that NT was awarded this security classification, equivalent to the US C2 security classification, under the ITSEC, the UK's IT Security Evalutaion Criteria. As with the NT 3.5 C2 rating, this doesn't include being connected to a network. This is interesting, given that any local user on NT 3.5 or above server or workstation can become a member of the administrators group, which is not a Good Thing for a secure system... "
This discussion has been archived. No new comments can be posted.

NT4 awarded E3/F-C2 security classification

Comments Filter:
  • And we will get to read all kinds of great stories
    when the next great NT DOS attack, or blaring
    security hole is found and exploited on a DoD
    system. One thing I can count on MicroSoft doing
    is shooting itself in the foot in new and exciting
    ways that make me chuckle.

    ; )


  • by Anonymous Coward
    Rebooting w/ a boot disk doesn't work on a C2-System, because floppy boot is disabled.

    Opening the case is a different thing.

    M$ even mentions this C2-thing as an advantage over Solaris - in a comparison about intranet-servers.
    (Sorry, can't remember the URL, somewhere at microsoft.com)


    There are rumors that on a C2-secured NT system you can't install new Software nor use the printer. Any confirmations?
  • by Anonymous Coward
    Linux(Think it was RH5.1) has been evaluated as B1, OpenBSD2.2 as C1 and NetBSD(dunno the version) as B2. I don't know about FreeBSD though, someone here who do?
  • by Anonymous Coward
    Once more, MS spreads misinformation. The Orange Book (gov't security ratings/policy/procedures) specifies the rating requirements for a system implementation, not just the OS. A system includes all of the h/w and s/w as well as the environment. In simple terms, NT can't receive a security rating by itself.

    C2 isn't the lowest rating. C1 and D1 are lower and have fewer requirements.

    The C2 rating typically applies to networked multiuser systems. NT isn't multiuser so the partitioning and file protection requirements don't really apply.
  • by Anonymous Coward
    Windows NT 4 (or 2000 for that matter)cannot earn NSA NTSEC C2 or FIPS 140-1.

    http://www.nwfusion.com/news/1999/0222fips.html
  • I don't know about the WHOLE DoD, but I know the Air Force is moving almost exclusively to NT as far as workstations go. It's a scary, scary world.
  • by Anonymous Coward
    Eat this one Satan!!!
    http://www.compuniverse.com/rsbac/ [compuniverse.com]

    That is most of what Linux needs for real B1 security and a bit more. It includes Mandatory Access Control, various role-based controls, and other cool stuff.

  • by Anonymous Coward
    Correct. The posix subsystem and the OS/2 subsystems have to be removed from the NT machine before it is C2 certified. This is usually done by using the C2 security manager that comes with the NT 4.0 Resource Kit. People should also realize the difference between redbook c2 and orangebook c2. Novell is redbook, which means it is C2 certified when connected to a network. This really has nothing to do with security but rather ways of configuring software.

    Other things you must do to NT to make it C2 certified include having all file systems NTFS(user level permissions on all files and directories), setting the NTloader with a wait time of 0, halt the system on a full security log, and not allowing the security log to be overwritten, and a login display message.

    There are some other parameters but this are the bigs ones.
  • by Anonymous Coward
    Obviously, you have read the certification requirements for NT. 'The power cord must be removed from the system, and its receptacle in the computer case filled with epoxy resin. Only now can the NT system be considered marginally secure.'

    Isn't any computer pretty much secure if it isn't connected to a network (any network)?
  • It specifically says that each site has the ability to inspect the source code used in all components of the system. I wonder if M$ is going to allow a copy of the source code to be delivered to each site that applies for an E3/FC-2 rated system. Where I work has a security clearance, but we don't currently have any NT machines in the secure areas. I wonder what would happen if I asked for one :-)
  • by Anonymous Coward on Friday April 30, 1999 @08:35AM (#1909133)
    C2 has never struck me as being so much about "security" as it is about "accountability".

    While I generally love to pick on Micros~1 products, I think we're picking on the wrong people-- the DoD and the UK ITSEC.

    The big reason NT is C2 rated is not because you can't break in (good thing-- you can!) -- it's because Administrator can't muck with your files without taking ownership of 'em himself. Or, well, that's what Micros~1 claims. :)

    So when your files get mucked with, you can tell, because they ain't your file anymore. And you know who owns it now (Administrator can't give 'em back, according to the docs), so you know who (or, well, which account...) did it.

    So yeah, NT probably _is_ C2 compliant. It's just that from a security standpoint, C2 doesn't mean diddly. That's not Micros~1's fault, that's the fault of our dain-bramaged government. The same folks who tell you that PGP is a munition.

    With so many idiots running around, it's hard to tell which is which...
  • by Anonymous Coward on Friday April 30, 1999 @09:35AM (#1909134)
    Those `organizations' should stop certifying
    C2. It provides little value, and it misleads
    a lot of people into thinking their systems
    are secure.

    If they truly believe in their mission, it's
    immoral to be accomplices in such a scam.

  • by Anonymous Coward on Friday April 30, 1999 @08:55AM (#1909135)
    You can poop in a box and get it certified C2. There's no real heavy "security" involved beyond passwords and keeping people out of each other's stuff on the system.

    I went through B1 certification, and I'm telling you the people doing the certification didn't know what the heck they were doing. They had good intentions and everything, but they just didn't have it.

    The problem that I saw during our certification is that the kids they hire do the work just didn't have the background to do the work. There were a number of HUGE security holes (writing to the password file, in three different ways) that I found after the product was supposedly certified.

    The certification process is just busy work for people who want a rubber stamp on something to make them feel better. Just like that ISO 9000 junk.

  • by Anonymous Coward on Friday April 30, 1999 @08:58AM (#1909136)
    Basically, the C2 rating is about as low as you can go. Any *nix machines which are not connected to a network are automatically C2 rated.

    The rating talks about single user access, the ability to recognize when a document has been looked at or modified (atime and mtime file attributes), a logging/audit system to show what has happened on a system (syslog, sulog), and the ability for one user to not look at or modify another users files (chmod, chown, chgrp). There also has to be a way to physically secure the machine, hence no external communication devices (network or modem). It must be physically secured in a lockable room in a building which also meets certain physical access requirements (security guard and wearing badges).

    Thats it. Nothing special.

    But it took some work to make a special version of NT to meet this rating. Read the article, they talk about how the administrator cannot change the permissions of a file back to the original owner, that is the one thing they broke to get the rating.

    Anyone who actually has to buy equipment that is rated for Orange Book levels will not be impressed by this (most will laugh at it), but this was published by microso~1 PR and marketing to impress those who don't know anything about security. File this one under FUD.

    If you remove the network card and modem from your linux box, and ensure that every account has a password and turn on accounting, your box can also be declared C2 rated. I have a C2 rated room next door with a number of Slackware machines running standalone, with their little C2 certificates in a pouch on the side.
  • It's a little easier to secure a SUN console, as you can disable lots of stuff in the PROM and set a password... and you can't zap it with a jumper like you can on PCs...
  • The same would hold for Linux (i can boot of a floppy), DOS, MacOS, or any other OS that I know of.
  • Hmmm, I wonder if that was a specialized version of SCO Xenix. Seems unlikely, but I suppose it's possible.
  • Posted by fling93:

    I used to work for Gemini Computers (http://www.geminisecure.com), a small network security company that I recall had an A1-rated system. They needed to create it in a bunch of layers that could only call functions in the layer below, thus making it easier to evaluate.

    I also recall it was slow as heck, impossible to use (like users will really be able to remember randomly-generated passwords), and thus didn't really do a whole lot in terms of volume. :)
  • Somebody more qualified than me needs to look into this site. Please.

    http://www.sco.com/ and search for Linux. Also search for open source.

    Looks VERYYYY interesting. Level B1 security for Linux!? 141 documents.


    No, SCO's new CMW+ 3.0 is going to have a (predicted, I imagine) ITSEC F-B1 rating. I found the same thing whilst looking for linux (although, the words linux, and open source were never found in the page.....)

    -Erik-
  • LMAO! Thanks for the link. That Gerald is quite the fella!
  • by Matts ( 1628 ) on Friday April 30, 1999 @08:30AM (#1909145) Homepage
    You can secure any registry node - it simply follows the NT security rules. Whether it comes secure as default I don't know, but I didn't want you to continue believing that any user always has full access to the registry - it's not true.

    perl -e 'print scalar reverse q(\)-: ,hacker Perl another Just)'
  • AFAIK, B1, B2, and C1 are better than C2. The highest rating is A1, which I believe only one OS has managed to achieve it. In short, the higher the number or letter, the lower the security rating is.
  • Where do you think they test [flinders.edu.au] those ICBMs, anyhow?
  • Most of Microsoft's pages give that with lynx. Probably can't handle not being able to do Javascript :P
  • I tested it on an NT4 SP4 Workstation I have here. If you place the executable in a directory which you can write to (such as the desktop, or the many worls-writable directories mentioend above), it gives you membership of the local administrator group. Its then possible to use l0phtcrack [l0pht.com] to get the local administrator password, or to use the samba team's pwdump to get the list and run l0phtcrack offline. If its the same as the domain admin password.....
  • Well, the ITSEC webpage (which lists NT 4 as "In evaluation", notes that it is only evaluating NT, without SMS, Exchange, MSMail, RAS, and Clipboard Viewer. What does MS know about the clipboard that we don't...
  • ..."How in the heck did they get the 'rating' in the first place?" I'm pretty sure that they're not going to let that out of their hands any time soon.
  • You're not cleared to see that OS. ;)
  • I was told that in order to run even simple programs like Notepad and Paint, it was necessary for a user to have write access to the entire registry. Is this incorrect?
  • In NT 3.1 - 3.51, the video drivers ran in user space, not ring 0, which is where the kernel ran. Thus for every call to the video subsystem by GDI, there were two ring transitions on the Intel architecture. Realistically, the security concerns about moving the video driver from ring 3 to ring 0 are moot as user processes have less chance of directly talking to the hardware now.

    From a stability point of view, you have to worry about vendors rushing out new benchmark video drivers without adequate testing, but if you stick to the NT 4.0 supplied drivers or drivers that you know work fine, then stability from the video subsystem is not an issue.

  • for those of you claiming that NT doesn't support multiple users, you are wrong. NT has supported (but not supplied) multiple users since the first version of NT in 1993. NT was designed to be a multi-user operating system, it just never got the code to do it until Citrix et al came along. The underlying structure to support multiple desktops existed even in Win NT 3.1, using what are known as "stations".

    In NT 4.0, only one station is be visible, WinSta0. This has zero or more desktops associated with it. With WTS and Citrix, the number of stations is allowed to be more than one.

    When you log on there are three active desktops on the default station, the winlogin desktop (where you log in and the SAS dialog is presented), the screen saver desktop (even if not configured), the user desktop.

    NT doesn't really care where or how the stations are displayed, but NT is optimized for local display (unlike X), and the ICA or RDP shim is nearly all that was necessary to make it truly multi-user.

    In W2K Server, the multi-user stuff adds less than two or three megabytes to the base install.

    As W2K is current vapourware, other alternatives that exist today are "rconnect.exe" from the resource kit (ie nearly free, just as RH 6.0 is nearly free), which allows you to get a command prompt (equivalent to telnet, except that many programs are GUI) in your security context on a remote machine. There are a lot of remote control products, including VNC, pcAnywhere, Timbuktu, Remotely Possible, NetFinity Manager (comes free with IBM NetFinity servers), etc.

    The vast majority of NT 4.0 GUI tools and BackOffice tools can allow you to remotely administrate a box by connecting to remote machines via an RPC connection. So the lack of a direct desktop connection is moot. It's the old single tier vs client/server thing again. In NT 4.0, the only things you need the console for are adjusting disks (WinDisk.exe is not remotable) and adjusting the network (the Control panel is not remotable). In W2K both these "problems" are fixed, with the replacement MMC snapin for WinDisk.exe being remotable and the network stuff is scriptable by WSH and there are command line tools for _everything_. Also W2K Server and above come standard with WTS, so if you have the licenses, you can remotely control W2K from your desktop.

  • This (another worthless certification) and the recent Mindcraft Linux vs NT thing, seems to show how vulnerable Microsoft feels. I don't know if that fear is necessary, after all these years I'd say people will still prefer marketing skills over product quality, but it obviously exists.
  • I remember this same story from say 2,3 years ago. At the time, the fact that it only holds the c2 standard without a network, was overlooked.

    But hey, whose memories aren't just fantatsies....
  • by Dagmar d'Surreal ( 5939 ) on Friday April 30, 1999 @11:01AM (#1909160) Journal
    I can't believe that Microsoft has the balls to blatantly try to compare ITSEC to TCSEC, and then relate that to their product.

    Problem #1: Just because two grades of security are nearly equivalent, does not mean you can interpret that everything (or anything, actually) that applies towards one has the same meaning towards the other. You either have a C2 rating, or you don't have a C2 rating. I'm pretty sure that if I ran a computer store, and had a bunch of technicians who had graduated from the local community college specializing in desktop PC construction and repair, that I would be in the middle of a lawsuit if I tried to advertise that that was equivalent to an A+ Certification.

    Problem #2: On MicroSoft's blurb page, they list the certification level of NT 3.5. Who uses that anymore? What does it have to do with 4.0?

    Problem #3: Finally, the big issue is that the level of certification they claim to have reached is not just weakened, but completely invalid if the machine has a network card, modem, or other remote access device in it, or even something as simple as a floppy drive. What do people who would be attracted to this kind of jibber-jabber get NT for? So they can put their super-secret company resources on a network and have it be "safe".

    I have seen Microsoft do some lame things to try to make their product look like more than it really is, but this insults my intelligence as a professional.
  • Oh come on, when has MICROS~1 ever do anything to promote their products that __DIDN'T__ insult your intelligence as a professional?
  • Microsoft has to been hacked into before. I know of one specific situation, about a year ago, when microsofts site was hacked and what the hackers did was put up a page which reloaded itself every second... so the page would load and then reload. I am guessing the purpose of this was to try and knock down the servers but there are way to many over there at M$ to do that. I know this happened for a fact because I was one of the first people to notice. Sure M$ had the site back up and running in like an hour and they never really told anyone about it, (and being about 7am est I am sure not to many people notice) but it sure did happen. I am pretty sure there is another case when this happened to but I did not actually see it so I am not going to write about it :).

    Oh and second I think the original guy who you responded to about not knowing about NT might not know about NT that much but in either cause by default anyone can delete profiles. Once again that is not good and once again you can change it but NT is being marketed as an easy to administer OS and is actually hard as hell to administer. Personally I, and many others, would agree that NT is actually hard to administer then NT. One mainly because people think it is easy and over look a lot of issues when doing administration... and two because there is so much to it. I am not even close to what I would consider and NT administrator nore a unix one but I know many and it seams that they agree NT is harder to administer. But either way each operating system has ups and downs but the problem with NT is that it is the biggest so people have to knock it. That is how we are.

    --MD--
  • Yeah... according to the docs you can't give ownership back.. with provided tools. If you know the API, you can throw together a program that'll become SYSTEM, then init a thread which will become the user you want and create an empty file with the original attributes. The original thread can open the file admin owns and pass the data to the new thread, which can write it to the file, close the file, *PewF* back to normal. Thats all assuming there isn't some easier way to just change the owner when your original thread is running as SYSTEM. Whew!

  • Yes, this is incorrect. As I recall the default settings, regular users only get write access to HKEY_CURRENT_USER and read access to pretty much anything else. However, the "administrator" account on any other NT box on the network has remote write access to the entire registry.

    I think the C2 certification is if the computer is not connected to a network and is physically placed in a secure location where unauthorized users are not allowed to enter. So most of what real-world sysadmins have to deal with is eliminated from consideration right off the bat.

    -Graham
  • Trusted Solaris 2.5.1 is certified E3/F-B1 and E3/F-C2. Naturally MS doesn't even mention the existence of Trusted Solaris.
  • > Anything above B2 (including B2) does not allow > extra components added to the system
    > (i.e, 3rd-party software), because B2+ systems
    > have EVERYTHING hard-wired at the
    > BIOS (and I mean EVERYTHING).

    This is patently untrue. You can read the specifications for B2 (red or orange book) and see that it is so. 3rd-party must simply be a part of the evaulation if it is to be a part of the Trusted Computing Base (TCB). For instance, TRW's DockmasterII code is under evaluation for B2 sitting on top of DG/UX's (also under evaluation) B2 version of Unix. B2 is indeed where things get serious, but it's all based on evaulation criteria in the orange or red books, and the TCB must enforce its rules, but the entire TCB of any modern computing system wouldn't fit into a BIOS.

    The orange book is for stand-alone systems, the red book is for trusted networking implementations, and Data General is aiming for red book B2 - that means it's B2 with the network activated and even potentially sitting on the Internet.

    For anyone interested in a Linux security project that aims to create a B-level security model, do a search for RSBAC, Mr. Ott has done a ton of good work in creating a real security model and protection mechanism for Linux at a level much higher than C2 which basicaly just means that you have to have an account to log in to the system.
  • Look at:

    http://www.compuniverse.com/rsbac/ [compuniverse.com]

    Don't expect it to be tested though - that's expensive. It does raise the bar to B level though.
  • > Orange Book C2 ratings are explicitly defined as > being WITHOUT A NETWORK CONNECTION.

    Which begs the question "Why didn't Microsoft go after a *Red Book* C2 evaluation?" That *does* include networking.

    If you're touting yourself as a network OS, you should go after a network rating IMO. Of course, that means the TCB has to extend into the network layer - and C2 isn't exactly a high bar.
  • What would it take to see what the maximum rating Linux can acheive when it's not connected to a network, with no floppy drive (i.e a similar configuration to what NT passed) and also what kind of rating can be attained when it is connected to a network. I'm not sure if any system can receive C2 when its connected to a network (not familiar with exactly what their testing) but to challenge NT directly on their own turf sounds like fun. I have a sinking feeling that wads of cash are involved in getting these "certifications".
  • Secure mode is Alt-Sysreq-K, for SAK. It makes sure nothing is running on that terminal, so you can't fake the login prompt. Dunno about the other, though.
  • Looks like someone at M$ tried to update the page and botched it...

    Microsoft VBScript runtime error '800a000d'

    Type mismatch 'CInt'

    /security/inc/scripts.txt, line 279


  • Previous propaganda on this issue mentioned two requirements which Linux apparently doesn't have - A SysRq key which puts the system in a secure mode (ctrl+alt+del on NT) and file and directory Access Control Lists.

    But then on the other hand, you've say you've got C2-certified Slackware boxes, so what do I know!
    --
  • by IntlHarvester ( 11985 ) on Friday April 30, 1999 @10:49AM (#1909173) Journal
    On this stock NTS4 SP4 box the Run key is Everyone = Set Value, so mhm23x3's comment is probably correct for 80%+ of the NT boxes out there.

    This is a prime example of Microsoft's one-size-fits-all engineering. The marketing impulse to allow users (or ActiveX controls) to install things that pop into your system tray (like AOL IM or Real) or nag you for registration has outweighed even the most obvious security considerations.

    Certainly, this problem is easily fixed with Registry ACLs, but does the average NT Admin who has only read the glowing description of "C2 Security" in the MS manuals know that?

    --
  • So it's C2 when it's not connected to a network. But any system which you have physical access to is inheirently insecure (reboot w/ a boot disk, open up the box and remove the hdd, and so on). Maybe it's just me but this kinda seems like a bit of an oxymoron. Why not remove the monitor and keyboard too while your at it? Hey, remove the power cord, and lock the box in a safe. Then no one will be able to hack it.
  • I know that C2 doesn't mean much, but could you publish publicly this info that you have a bunch of standard slackware Linux boxes that have a C2 rating? It would be nice publicity for Linux, especially for those who have no idea what any of C2 security means.
  • by ethereal ( 13958 ) on Friday April 30, 1999 @10:55AM (#1909177) Journal

    Paraphrased from "Operating Systems Concepts", the dinosaur book (5th ed.), there are four divisions of security model and several levels of each division. In order of increasing security they are:

    • D = doesn't meet the requirements of the other three divisions. MS-DOS and Windows 3.1.
    • C1 = some form of group permissions. This includes most Unices.
    • C2 = C1 plus individual permissions too. Some more highly-secured Unices have been certified C2.
    • B1 = C2 plus sensitivity labels on objects for hierarchical security. Thus if a user is level secret, they can access all objects at their level or below if they have permissions to it. Also processes are isolated in distinct address spaces.
    • B2 = B1 plus extends the sensitivity labels to each system resource (devices). Also includes covert channels and auditing on those channels.
    • B3 = B2 plus access control lists and monitoring for any violations of security policy.
    • A1 = equivalent to a B3 system, but is written using formal design and verification techniques to make sure that you haven't left any security bugs in the B3 implementation. A system above level A1 might have been created this way by trusted personnel at a trusted location.

    As other posters have noted, you can't certify an operating system, just a particular installation of that OS on specified hardware at a particular site. So realistically the highest NT or Linux could be certified would be B3, and even that would require a lot of additions to the base system. Don't hold your breath.

  • Sorry folks, but in all fairness, I must point out that Linux has yet to garner such a rating. Yes, I agree NT's C2 rating is bogus. However, Linux currently does NOT have what's needed to earn a C2 rating either. ACLs are one of the things needed for a C2 rating, and Linux does not have this. However, NT DOES. So don't dismiss NT so easily. It has some great security potential.

    Incidently, Trusted Solaris could probably get better than a C2 rating, and Secure HP-UX I believe, has earned a B3 rating.

    But I think the Linux community should work on certifying Linux as at LEAST a C2 if it seriously hopes to compete with Microsoft's PR game... I mean, let's face it, MS may be making bogus claims, but the pity of it is, there are a lot of managers out there in the corporate world that actually buy MS's claims. I think the only way to fight fire is with fire.
  • If you don't even know how to secure other users' profiles on an NT box, you don't really have any business talking about NT security, much less running an NT system. Making these sweeping statements about things you know nothing about honestly don't give me much faith in your ability to secure *nix boxes, either -- it's a good sign that instead of putting in some work to secure your system, you'll just fake your way through it and pray each night that the hackers don't have a field day on your ass. Good luck.

    Another amusing note is that Slashdot, with that wonderful Linux security, has been hacked into at least once, while your pals at www.microsoft.com haven't.

    Cheers,
    ZicoKnows@hotmail.com

  • If there's one thing we learned in April, it's that benchmarks and Orange Book security levels are both virtually guaranteed to be misused in marketing. And I'm not just pointing the finger at Micros~1.

    --------
  • The idea here is that physical assets (like workstations) can be secured with much less difficulty than stuff attached to a network. File this one under the axiom, "a chain is only as good as it's weakest link."

    A computer that you can only access by sitting down in front of it can be kept under armed guard & video cameras. That tends to discourage hacking attempts.
  • That's not the point: the security rating depends on (among other things), whether or not it's connected to a network, and whether or not it's under armed guard. The DOD doesn't say, "Oh, well, since it's under armed guard and not connected to a network, we won't bother assigning it a security rating." Instead, they take all methods of access into account when assigning the rating. Systems not connected to a network and under armed guard has a good shot at being a step or two higher than C2.

    See "Trusted Computer System Evaluation Criteria, DOD standard 5200.28-STD" (better known as the Orange Book [tuxedo.org]) for details.

  • You can lock users out of the registry, but creating a .reg file and merging it will do the same if you know the syntax. Additionally, you could put anything you want in the startup group and power-cycle it, make changes to the autoexec.bat/autoexec.nt, boot from a dosntfs floppy (if ntfs is enabled), or there's the getadmin exploit.

    NTFS - not that f**kin' secure.....
  • check this out nice
    utility [eunet.no].
  • "C2 without a network"?! Somehow I wouldn't want to put that on my four-color glossies... do businesses even think about this before they buy it?

    Sheesh.
  • Just a quickie question from an ignoramus -- what do the ratings mean, and how do they relate to each other? is B1 better or worse than C2, or just different?

    --

  • by RKemp ( 21799 ) on Friday April 30, 1999 @12:22PM (#1909189) Homepage
    The topic of NT's C2 certification comes up on InfoWorld [infoworld.com] from time to time. Nick Petreley wrote an editorial [infoworld.com] and hosted a discussion forum [infoworld.com] about this in July 1998.

    To summarize, MS obtained a C2 certification for NT3.5 SP3 on a stand alone system (no network connection) running specifically on a Compaq Proliant 2000 or 4000, or a DECpc AXP/150. They did this using the services of a security specialist named Ed Curry, who was a regular poster to the InfoWorld forums. Afterwards he contended that they misrepresented the status of the certification and tried to get him to do the same. He refused and they allegedly forced him out of business.

    He posted regularly about his ongoing fight with MS until his death [infoworld.com] a month ago.
  • this doesn't include being connected to a network

    You must also make sure that the computer is not connected to a power supply.
  • by swilly ( 24960 ) on Friday April 30, 1999 @10:20AM (#1909191)
    NT 3.51 (or was it 3.5) was C2 secure, it was only a matter of time before NT4 would be. And lets get a few things straight:

    No OS can be C2 secure.
    Only individual Systems can.

    That's right. All that this rating means is that you can make it C2 secure out of the box as long as you follow certain restrictions on usage (locked room with limited access, no connection to a non-secure network). This is not the same as saying the OS itself is C2 secure. For example, if you plug in into a network and you are no longer Orange Box C2 secure. And there are other levels of C2 security, at least one allows you to connect to a secure network. I don't know how they certify networks beyond the fact that every machine must be accredited and that there are no connections to any other networks.

    There are many OS's out there that aren't C2 secure out of the box, but can be if you make changes. NT4 is still like this in the US. Where I am at, there is an NT4 workstation in a secure area that is Accredited for Secret data. At first I thought someone made a mistake, but then I learned a little about the accredidation process and it turns out that there is a list of procedures on how to get it to pass certification.

    Similarly, you can take a OS that is supposedly C2 secure and make it not C2 secure (by installing a modem, for example). C2 can only certify individual systems, it isn't a blanket statement that the OS itself is secure. As far as I know, there is no such blanket statement (but I'm not familiar with the B* security ratings, so it might exist).


  • The funny thing is, I can get my toaster evaluated, if I specify the right security target.
    If you talk about that stuff with NT advocates ask them what has really been evaluated. The no network issue should be clear for most, but I wonder what else is missing (cant access the site right now). If they did the same thing as with 3.51, the the floppy will be missing as well. Anyone wiht half a brain then should understand what this is really worth (close to nothing IMNSHO).
  • .... and truth be told, THIS classification means virtually nothing. WinNT is marketed for use in offices, not spaceships and submarines (not to say that it's GOOD for office use).

    Anything above B2 (including B2) does not allow extra components added to the system (i.e, 3rd-party software), because B2+ systems have EVERYTHING hard-wired at the BIOS (and I mean EVERYTHING).

    B1 allows you to add components, but they often need to be certified in and of themselves (this would be like other hardware devices).
  • Please don't show your ignorance.

    1)Microsoft's NT did not receive the certification. A system with NT running on it did.

    2) Linux, since it is software, cannot be certified, either -- a system RUNNING Linux can ... and EVEN THEN, by definition, it CANNOT achieve a rating higher than B1.

    3) This certification means nothing more than "it's got a place on government Purchase Order forms ... THAT'S IT !! REALLY !!

    In fact, I'm of the belief that Microsoft PURPOSELY designed NT to be "C2" as opposed to "B1" so that it could be implemented in government workplaces.

    Hence, 4) an "A1" rating may SOUND prestigious, but it "merely" means VERIFIED DESIGN -- to the last nick and cranny (those of us who have ever tried installing and implementing two or more GPL networking packages knows that Linux is NOT "A1" material) ... even though Linux is very robust, and versatile; however, these traits are not what makes a system "A1" ... IN FACT, the more "versatile" the system, the lower the certification it's going to have: "A1" systems, BY DEFINITION, are for one thing and one thing only.

    Sorry to flame you; but from your tone it's obvious you want people to think you know what you're talking about -- and you certainly DO NOT !!
  • by Versalis ( 29051 ) on Friday April 30, 1999 @10:54AM (#1909195)
    This is really not a very good rating, just average.

    C2 equates to 'CONTROLLED ACCESS PROTECTION'. All your software really needs to do to get this classification is require a user login, auditing of security events (read logging), and restricted resources. It doesn't require the system to actually STOP unauthorized activity.

    The rating system is as follows:

    A1 'VERIFIED DESIGN'
    B3 'SECURITY DOMAINS'
    B2 'STRUCTURED PROTECTION'
    B1 'LABELED SECURITY PROTECTION'
    C2 'CONTROLLED ACCESS PROTECTION'
    C1 'DISCRETIONARY ACCESS PROTECTION'
    'MINIMAL PROTECTION'

    Notice NT's not very high in the list, of course few things are.

    At http://www.radium.ncsc.mil/tpep/epl/epl-by-class.h tml you can read some brief info on these classifications. If you want info coming out the whazoo on this kind of thing browse around http://www.radium.ncsc.mil/
  • by mhm23x3 ( 30474 ) on Friday April 30, 1999 @08:21AM (#1909196) Homepage
    It's pretty simple when any user can access and change the registry. Just put an entry in HKEY_Local_Machine/Software/Microsoft/Windows/Curr ent_version/Run - You can run whatever you want at startup, regardless of user privledge.

    First time I leared this, my mouth just dropped wide open.

  • I fight that fight every day - we demo our products on various UNIX boxes all the time. The people with the stars on their collar keep asking about NT. I like to respond by talking about the US Navy's recent experience with the all NT ship - it had to be towed in to port, twice. I can't talk in specifics but I do know that we have pushed UNIX as a better choice on the programs I work on that are trying to get away from VMS.

    Some good news here is that DII-COE,the Common Operator Environment (its not common and dosn't operate), is being developed for NT - if its anything like the UNIX version (bloated, unstable, leaky, and confusing) it will make NT's performance so bad you'd think it was running on an XT.
  • As somone once said, and I forget who it was, "If Microsoft can get this much milage out of a C2 rating for NT with no network connection, how much milage could Linux get with a A1 rating, with no power cord."

    Hellooooooo?!?!?!? Anyone wuth a brain in there?

    Orange Book C2 ratings are explicitly defined as being WITHOUT A NETWORK CONNECTION.

    Struth.
  • I noticed a few posts suggesting Linux should do C2. I certainly hope not! C2 is one of the reasons that 16 bit windows code runs so slowly on NT. This is because one of the requirements of C2 is that no process be able to access the memory of any other.

    This means that DLLs which share memory between multiple processes are not allowed. Everything you want to communicate to a system service must be sent through a message queue. Thus, a C2 system can guarantee no-one can exploit data from core files to break security.

    Lack of C2 and microkernel architecture are, IMO, one of Linux's key strengths. C2 is a feature bullet that everyone pays the price for. Like one of the other posters said, its like ISO - you have it just to say you have it. Don't bloat my OS with it.
  • I saw a preview of Win 00 and a demo of user setup, permissions, passwords, etc. The setup wizard allows any user to be setup as ADMIN and the syntax of the question that allows this is not very clear as to what you will be allowing the user to do. It just says would you like this user to have admin access. Hmm, Joe is in the Admin. dept so yes!! Can you imagine Joe User one morning does something stupid, but not just to his machine, he brings down the network. And hey, isn't this cool, I can adjust all kinds of settings and I'll change Jack's password to /dev/null HaHa.
  • I would hope that NT admins would know about registry security, but I suspect your right. Plus how many just use regedit instead of regedt32?
  • I don't know if you noticed guys. But the only version they certified were 3.51. NOT 4.0

    I found it very interesting, because Microsoft is >AUTOMATICALLY assuming that this rating carries to the new version when it doesn't. The paperwork states pretty plainly that it's only certified on the hardware tested, et. al.

    Typical Microsoft Bullshit.

    FYI, by the book 3.51 is slightly more secure becuase of the way the video subsystem was coded. Running at Ring 0, and all that. But a quick look on any of the security oriented sites shows that pretty much all of the major holes that exist in 4.0 exist in 3.51 so...

    Honestly? It makes you wonder what type of smack they were using when they performed the test.
  • I would like to see the OS that managed to get that rating...

    RB
  • In all seriousness: not necessarily. If you can boot into another operating system (e.g. from a boot disk) and then access the data on the machine, then that machine has been compromised. A C2-certified NT box (or indeed any secured operating system) can't be breached in this way.
  • I read through the example on how to force yourself to run the example trojan. It is pretty simple - virus, trojan, whatever...don't let your machine be compromised. I am sure there there are plenty of nice Linux hacks too, but the Linux hobbyists have more to prove I suppose.
  • OK Bill..take your medication and off to bed with you...it's getting late.
  • Here's what I get when I log into the announcement site:

    Microsoft VBScript runtime error '800a000d'

    Type mismatch: 'CInt'

    /security/inc/scripts.txt, line 279


    Nice job, micro$loth
  • Everyone knows that a C2 security rating is low on the list. But frankly, Micro$oft has taken the time (and money) to do something that other vendors should also do.

    How many of you think that a "Network Certification" (CNA, CNE, MCP, MCSE) reallly means anything? It is no guarantee to an employer, but it is helpful to a job applicant that needs an edge to stand out from the rest of the crowd! Likewise, Micro$oft has excelled at what it does best: Great PR! C2 Certification doesn't merit much technical praise, but its goal is not to impress technicians! When the procurement agent for a large organization has to shell out hundreds of thousands of dollars on OS software, which is easier to justify to the Pointy Haired Bosses? One with a "NSA Level C2 Security Rating" or one without it?

    Not all OSes are created equal. NT certainly has a ton of weaknesses right out of the box. But so does every distribution of Linux, as well as every flavor of Unix (except specially modified versions known as "secure" or "trusted" UNIX). The common versions of Unix that populate most business and educational organizations are NOT the secure versions offered by their vendors. That is why they can be hacked so easily! But why didn't IBM release "Trusted OS/2 Warp 4"? And where is VA Research "Trusted Linux 9.0"? When will we see Dell/Red Hat's "Trusted Linux 7.0"? Although a C2 security rating isn't the greatest, it is NOT that easy to achieve! Or else, other OSes would be rated, too.

    However, a C2-rated box is different from a reliable network. Regardless of the OS, what makes a network great is the work of a great administrator! I have happy customers running Linux and NT boxes. They smile, not because of the vendor's promises, but because of the knowledge I applied to their individual networks.

    Work to make Linux better, including "C2 Certification", if needed! Don't waste time responding to every Micro$oft press release!
  • As somone once said, and I forget who it was, "If Microsoft can get this much milage out of a C2 rating for NT with no network connection, how much milage could Linux get with a A1 rating, with no power cord."
  • They're both further away from all that dangerous stuff
  • > Following the exact link Hemos posted, Microsoft did not say that NT got a C2 (TCSEC) rating at all. Rather they posted that it passed the ITSEC
    E3 level testing which is UK based.
    > Read the article - event the first sentence gives it away: "On April 28th, 1999, the UK Government announced...". Hemos is so busy Microsoft
    bashing he forgot that the truth actually has some bearing in the matter.

    You, on the other hand, are so busy bashing Hemos that you forget to even read what he has written! Or perhaps more accurately, what he hasn't. The entire post was quoted from a slashdot reader who mailed it in. The slashdot reader DID, in fact, say that it recieved the ITSEC rating, as did the title of the article. He only mentioned the TCSEC rating as a comparison for readers unfamiliar with the ITSEC ratings.

    > To further prove his blatant incompetence in news reporting, he went on to say that it wasn't certified on a network. Again, this is blatantly false. A
    single click from the Microsoft page gives this (at http://www.itsec.gov.uk/cgi-bin/cplview.pl?docno=9 5):
    > "The evaluation of Microsoft Windows NT 4.0 excludes Exchange Server, System Management Server (SMS), MS Mail, remote access services
    and Clipbook viewer. Domain based security functionality is included up to the transport driver interface; underlying network protocols and
    architectures are excluded."
    > Gee... Sounds like networking to me!!
    > In fact, NT 3.51 is also rated at E3 level *with* network functionality (again Hemos can't get his facts right).

    This is correct; however, it was the person who mailed in the story, not Hemos, who made the error. The quote from the reader is represented to be opinion, not fact.

    > To put the icing on the cake for the worst reported article in slashdot history he goes on to mention a misconfiguration bug that has been around for
    at least a few months now (fixes/workarounds etc. have been around for just as long).

    Workarounds, yes - fixes to the underlying problem, no. This is not to say that I would've made the same argument - C2 security is about security concepts, not the actual security of a system. Major implementation problems like this aren't really within its scope.

    > Look: If you want to be taken seriously then you have to dump on these losers who would make up the news to bag Microsoft than report the truth.
    > If Hemos has any integrity left, he'll post a correction/retraction with what actually happened rather than leave his work of fiction up on the site.

    Hemos did not write that posting or represent it to be his writing; Slashdot's stories frequently are quoted from users. Furthermore, the links are the substance of the story, not the personal opinions of the person who wrote it in. Your attitude towards Hemos is grossly inappropiate. Perhaps you should make some effort to understand what is represented to opinion and what is represented as fact, and react accordingly.
  • Following the exact link Hemos posted, Microsoft did not say that NT got a C2 (TCSEC) rating at all. Rather they posted that it passed the ITSEC E3 level testing which is UK based.

    Read the article - event the first sentence gives it away: "On April 28th, 1999, the UK Government announced...". Hemos is so busy Microsoft bashing he forgot that the truth actually has some bearing in the matter.

    To further prove his blatant incompetence in news reporting, he went on to say that it wasn't certified on a network. Again, this is blatantly false. A single click from the Microsoft page gives this (at http://www.itsec.gov.uk/cgi-bin/cplview.pl?docno=9 5):

    "The evaluation of Microsoft Windows NT 4.0 excludes Exchange Server, System Management Server (SMS), MS Mail, remote access services and Clipbook viewer. Domain based security functionality is included up to the transport driver interface; underlying network protocols and architectures are excluded."

    Gee... Sounds like networking to me!!

    In fact, NT 3.51 is also rated at E3 level *with* network functionality (again Hemos can't get his facts right).

    To put the icing on the cake for the worst reported article in slashdot history he goes on to mention a misconfiguration bug that has been around for at least a few months now (fixes/workarounds etc. have been around for just as long).

    Look: If you want to be taken seriously then you have to dump on these losers who would make up the news to bag Microsoft than report the truth. If Hemos has any integrity left, he'll post a correction/retraction with what actually happened rather than leave his work of fiction up on the site.
  • Read the page. It says 'clipbook viewer' which is very different to 'clipboard viewer'.
  • To blow away your FUD:

    Prob #1: ITSEC is no worse than TCSEC, nor is it any better. It is apples and oranges. You imply that passing ITSEC/E3 is a breeze compared to TCSEC/C2. This is simply not true. They actually compared different things - ITSEC looks at operating systems (in this case) and TCSEC looks at a particular system from the hardware up.

    Prob #2. NT 3.5 has as much to do with NT 4.0 as Linux 1.0 has to do with Linux 2.0. It shows the history of the system as secure and not just a patch added to make the current system pass. BTW - lots of people still use NT 3.51.

    Prob #3. E3 security is *not* weakened by floppy, network card etc. Again, if you bothered to read the facts you would find that ITSEC/E3 has evaluated NT to include networking and domain level authentication.

    If you guys want to be taken seriously, you really should start posting facts and stop making it up as you go along.
  • "Domain based security functionality is included up to the transport driver interface; underlying network protocols and architectures are excluded."

    Look at the NT architecture. TDI is the interface to TCP/IP, IPX, NetBEUI, Appletalk and everything else on the network. What they are saying is that they are evaluating the security of NT, not the security of the protocols - which are pretty insecure on the most part.

    So, to answer the question: Yes. I do know what "excluded" means.
  • Ok. Looks like I was a little out of line blaming Hemos (well, actually way out of line). I should have blamed the "anonymous reader".

    My apologies to Hemos on that count.

    Also, I agree - the reader didn't say NT4 got C2. Damn these public forums for keeping me honest.

    As for the "security hole" in NT - If you want to plug this one you can do a number of things. The most obvious is to disable posix and os/2 subsystems!! I believe this is documented well enough in just about every secure installation guide. If you don't care about users creating drive mappings you can change the permissions on the '??' object directory as well (which is identical to setting permissions on /dev in Unix)

    I'm not convinced of the 'major implementation problem' yet.

    Again, my apologies to Hemos. It really wasn't his fault the original mail was woefully inaccurate and more FUD than Fact.


  • Physical access to the machine can blow open any security, short of encrypted storage of data. Just as a trivial instance of how simple it can be, SuSE Linux distributions include all you need to set up Linux to run from a parallel-port Zip Drive, so as long as you can run a boot floppy and connect to the parallel port, you can have root access to any file system on the machine that you have the drivers for.

    What's really bad about this is not that Microsoft can get a rating for Windows NT, but that they don't seem to realise how limited it is.
  • I admin NT boxes (and merely have 'heightened' access on a few *nix boxes). The exploit the mentioned seems plausible - but only in theory.

    There is no builtin way to mess with the Object Tree in NT4. Even WinObj (www.sysinternals.com) doesn't let you actually edit the tree. Furthermore, the permissions can be reset with the proper kernel patches.

    As to the complaints of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run, simply make it read-only to non-administrative accounts. Setting file and registry permissions to read-only can actually make a machine pretty safe.

    NT was never intended to be a multi-user platform, at least in the traditional sense. It was designed so that different users could login and use the same programs, with their own unique preferences, _serially_, and carry those preferences to any other computer they used.

    The biggest problem Ive found with NT is not inherent to the OS. It has to do with third-party parogrammers (and, sadly, some M$ programmers too) not programming with the assumption that the user will only have read access. Netscape, Corel, Adobe, M$ Office 95/97 (but not 2000), and most stat packages all require unacceptably high access to the registry and/or filesystem. (Most _require_ write access to non-user specific preferences files, or a few application-specific registry entries).

    Give me apps that adhere to NT profile policies, and that can run in an entirely read-only environment, and you'd be surprised how secure I can make that workstation.
  • All the evaluations against TCSEC (Orange Book) are explicitly stated to be "when installed as prescribed" in the Evaluated Products List [ncsc.mil]. Just because typical use of NT is less secure than typical use of Unix, this does not mean that NT cannot be configured and used securely enough to pass. I don't usually work as root on Unix, but I usually (on my workstation always) work with Administrator rights on NT - this is crazy, but that's just how you get you work done.

    Note also that for NT they went for E3/F-C2 rather than the E2/F-C2 that the ITSEC says is intended to correspond to TCSEC class C2, and this brings in things like having to provide the evaluator with "Source code or hardware drawings for all security enforcing and security relevant components".

    Under the TCSEC you did not have to show that a system was "relatively resistant to penetration" until B2 (corresponds to E4/F-B2) and ITSEC does not seem to have anything like this phrase - perhaps because it is meaningless and there is no way to test for something so vague. Passing the E3/F-C2 level of evaluation does not mean there are no ways to break in, and this is just as true of the Unixes that have been evaluated as it is for NT.

    Another thing to note is that at least one version of Unix has been evaluated at the less stringent E2/F-C2, and many have not been evaluated at all.

    Passing the evaluation is not really anything to boast about, but failure would have been embarrasing.
  • Microsoft's amnnouncement says: "E3/F-C2 is widely acknowledged to be the highest ITSEC evaluation rating that can be achieved by a general-purpose operating system."

    Says who?

    I doubt if the vendors with E3/F-B1 evaluations would agree; Trusted Solaris from Sun for example. There have even been B3 (under TCSEC) rated systems that can reasonably be described as 'general purpose'.

    Microsoft may think E3/F-C2 is hard - after all, Windows 95/98 do not have the required functionality.

    NT passed, Microsoft have a right to say it did. That Microsoft thinks this is the highest NT can go is the interesting point - most versions of Unix don't go any higher, but there are several examples to show that they can if the vendor is prepared to put in the effort (and pay for an evaluation).

  • Another thing everyone must realize is that there is really no such thing as saying a piece of hardware or software is C2 ccertified. It is capable of receiving a C2 certification, meaning that if the entire system (hardware and software)is installed correctly and configured correctly to the C2 standards it can receive a C2 certification. A C2 certification is only awarded on an installed system of both hardware and software. Its certification is based on the physical installation itself rather than some inherent capability of a piece of hardware or software. So, if the entire system is not installed in its final location and completly setup it cannot be C2 certified.

Two percent of zero is almost nothing.

Working...