NT4 awarded E3/F-C2 security classification 127
An anonymous reader wrote in to say "Microsoft has announced that NT was awarded this security classification, equivalent to the US C2 security classification, under the ITSEC, the UK's IT Security Evalutaion Criteria. As with the NT 3.5 C2 rating, this doesn't include being connected to a network.
This is interesting, given that any local user on NT 3.5 or above server or workstation can become a member of the administrators group, which is not a Good Thing for a secure system... "
Cool. This probably means the DoD will adopt.... (Score:1)
when the next great NT DOS attack, or blaring
security hole is found and exploited on a DoD
system. One thing I can count on MicroSoft doing
is shooting itself in the foot in new and exciting
ways that make me chuckle.
; )
Re:Not connected to a network...? (Score:1)
Opening the case is a different thing.
M$ even mentions this C2-thing as an advantage over Solaris - in a comparison about intranet-servers.
(Sorry, can't remember the URL, somewhere at microsoft.com)
There are rumors that on a C2-secured NT system you can't install new Software nor use the printer. Any confirmations?
Re:Interesting to test Linux or BSD (Score:1)
MS C2 Rating (Score:1)
C2 isn't the lowest rating. C1 and D1 are lower and have fewer requirements.
The C2 rating typically applies to networked multiuser systems. NT isn't multiuser so the partitioning and file protection requirements don't really apply.
NT cannot earn NSA NTSEC C2 (Score:1)
http://www.nwfusion.com/news/1999/0222fips.html
Re:Cool. This probably means the DoD will adopt... (Score:1)
Linux crushes OpenBSD (Score:1)
http://www.compuniverse.com/rsbac/ [compuniverse.com]
That is most of what Linux needs for real B1 security and a bit more. It includes Mandatory Access Control, various role-based controls, and other cool stuff.
Re:nt and c2 (Score:1)
Other things you must do to NT to make it C2 certified include having all file systems NTFS(user level permissions on all files and directories), setting the NTloader with a wait time of 0, halt the system on a full security log, and not allowing the security log to be overwritten, and a login display message.
There are some other parameters but this are the bigs ones.
Re: No Power Supply (Score:1)
Isn't any computer pretty much secure if it isn't connected to a network (any network)?
E3/FC-2 requires inspection of the source code (Score:2)
"C2" and "security" (Score:3)
While I generally love to pick on Micros~1 products, I think we're picking on the wrong people-- the DoD and the UK ITSEC.
The big reason NT is C2 rated is not because you can't break in (good thing-- you can!) -- it's because Administrator can't muck with your files without taking ownership of 'em himself. Or, well, that's what Micros~1 claims.
So when your files get mucked with, you can tell, because they ain't your file anymore. And you know who owns it now (Administrator can't give 'em back, according to the docs), so you know who (or, well, which account...) did it.
So yeah, NT probably _is_ C2 compliant. It's just that from a security standpoint, C2 doesn't mean diddly. That's not Micros~1's fault, that's the fault of our dain-bramaged government. The same folks who tell you that PGP is a munition.
With so many idiots running around, it's hard to tell which is which...
Unethical to certify C2 (Score:3)
C2. It provides little value, and it misleads
a lot of people into thinking their systems
are secure.
If they truly believe in their mission, it's
immoral to be accomplices in such a scam.
C2? Ha! (Score:5)
I went through B1 certification, and I'm telling you the people doing the certification didn't know what the heck they were doing. They had good intentions and everything, but they just didn't have it.
The problem that I saw during our certification is that the kids they hire do the work just didn't have the background to do the work. There were a number of HUGE security holes (writing to the password file, in three different ways) that I found after the product was supposedly certified.
The certification process is just busy work for people who want a rubber stamp on something to make them feel better. Just like that ISO 9000 junk.
C2 is the lowest security rating (Score:5)
The rating talks about single user access, the ability to recognize when a document has been looked at or modified (atime and mtime file attributes), a logging/audit system to show what has happened on a system (syslog, sulog), and the ability for one user to not look at or modify another users files (chmod, chown, chgrp). There also has to be a way to physically secure the machine, hence no external communication devices (network or modem). It must be physically secured in a lockable room in a building which also meets certain physical access requirements (security guard and wearing badges).
Thats it. Nothing special.
But it took some work to make a special version of NT to meet this rating. Read the article, they talk about how the administrator cannot change the permissions of a file back to the original owner, that is the one thing they broke to get the rating.
Anyone who actually has to buy equipment that is rated for Orange Book levels will not be impressed by this (most will laugh at it), but this was published by microso~1 PR and marketing to impress those who don't know anything about security. File this one under FUD.
If you remove the network card and modem from your linux box, and ensure that every account has a password and turn on accounting, your box can also be declared C2 rated. I have a C2 rated room next door with a number of Slackware machines running standalone, with their little C2 certificates in a pouch on the side.
Securing a console (Score:1)
Re:I guess it can't have a floppy drive either (Score:1)
Re:Trusted XENIX beats NT. (Score:1)
Re:Which OS managed A1? (Score:1)
I used to work for Gemini Computers (http://www.geminisecure.com), a small network security company that I recall had an A1-rated system. They needed to create it in a bunch of layers that could only call functions in the layer below, thus making it easier to evaluate.
I also recall it was slow as heck, impossible to use (like users will really be able to remember randomly-generated passwords), and thus didn't really do a whole lot in terms of volume.
Re: (Score:1)
Re:Shoot! (MS Advocacy) (Score:1)
Re:Which OS managed A1? (Score:1)
Re:Getting administrator rights in NT (Score:3)
perl -e 'print scalar reverse q(\)-:
Re:Interesting to test Linux or BSD (Score:1)
Re:I'm moving to Australia ... (Score:1)
Re:Link doesn't work (Score:1)
Re:any docs on using that exploit? (Score:1)
Re:Load Of Bollocks (Score:1)
That, then, begs the question... (Score:1)
Re:Which OS managed A1? (Score:1)
Re:Getting administrator rights in NT (Score:1)
Re:Notice the 3.51 designation (Score:1)
In NT 3.1 - 3.51, the video drivers ran in user space, not ring 0, which is where the kernel ran. Thus for every call to the video subsystem by GDI, there were two ring transitions on the Intel architecture. Realistically, the security concerns about moving the video driver from ring 3 to ring 0 are moot as user processes have less chance of directly talking to the hardware now.
From a stability point of view, you have to worry about vendors rushing out new benchmark video drivers without adequate testing, but if you stick to the NT 4.0 supplied drivers or drivers that you know work fine, then stability from the video subsystem is not an issue.
Rebutting the furphy that NT is not multi-user (Score:1)
for those of you claiming that NT doesn't support multiple users, you are wrong. NT has supported (but not supplied) multiple users since the first version of NT in 1993. NT was designed to be a multi-user operating system, it just never got the code to do it until Citrix et al came along. The underlying structure to support multiple desktops existed even in Win NT 3.1, using what are known as "stations".
In NT 4.0, only one station is be visible, WinSta0. This has zero or more desktops associated with it. With WTS and Citrix, the number of stations is allowed to be more than one.
When you log on there are three active desktops on the default station, the winlogin desktop (where you log in and the SAS dialog is presented), the screen saver desktop (even if not configured), the user desktop.
NT doesn't really care where or how the stations are displayed, but NT is optimized for local display (unlike X), and the ICA or RDP shim is nearly all that was necessary to make it truly multi-user.
In W2K Server, the multi-user stuff adds less than two or three megabytes to the base install.
As W2K is current vapourware, other alternatives that exist today are "rconnect.exe" from the resource kit (ie nearly free, just as RH 6.0 is nearly free), which allows you to get a command prompt (equivalent to telnet, except that many programs are GUI) in your security context on a remote machine. There are a lot of remote control products, including VNC, pcAnywhere, Timbuktu, Remotely Possible, NetFinity Manager (comes free with IBM NetFinity servers), etc.
The vast majority of NT 4.0 GUI tools and BackOffice tools can allow you to remotely administrate a box by connecting to remote machines via an RPC connection. So the lack of a direct desktop connection is moot. It's the old single tier vs client/server thing again. In NT 4.0, the only things you need the console for are adjusting disks (WinDisk.exe is not remotable) and adjusting the network (the Control panel is not remotable). In W2K both these "problems" are fixed, with the replacement MMC snapin for WinDisk.exe being remotable and the network stuff is scriptable by WSH and there are command line tools for _everything_. Also W2K Server and above come standard with WTS, so if you have the licenses, you can remotely control W2K from your desktop.
Re:Getting administrator rights in NT (Score:1)
Microsoft Losing Its Nerve? (Score:1)
Old News ? (Score:1)
But hey, whose memories aren't just fantatsies....
Load Of Bollocks (Score:4)
Problem #1: Just because two grades of security are nearly equivalent, does not mean you can interpret that everything (or anything, actually) that applies towards one has the same meaning towards the other. You either have a C2 rating, or you don't have a C2 rating. I'm pretty sure that if I ran a computer store, and had a bunch of technicians who had graduated from the local community college specializing in desktop PC construction and repair, that I would be in the middle of a lawsuit if I tried to advertise that that was equivalent to an A+ Certification.
Problem #2: On MicroSoft's blurb page, they list the certification level of NT 3.5. Who uses that anymore? What does it have to do with 4.0?
Problem #3: Finally, the big issue is that the level of certification they claim to have reached is not just weakened, but completely invalid if the machine has a network card, modem, or other remote access device in it, or even something as simple as a floppy drive. What do people who would be attracted to this kind of jibber-jabber get NT for? So they can put their super-secret company resources on a network and have it be "safe".
I have seen Microsoft do some lame things to try to make their product look like more than it really is, but this insults my intelligence as a professional.
nothing new (Score:1)
Re:Perhaps you shouldn't be a sysadmin (Score:1)
Oh and second I think the original guy who you responded to about not knowing about NT might not know about NT that much but in either cause by default anyone can delete profiles. Once again that is not good and once again you can change it but NT is being marketed as an easy to administer OS and is actually hard as hell to administer. Personally I, and many others, would agree that NT is actually hard to administer then NT. One mainly because people think it is easy and over look a lot of issues when doing administration... and two because there is so much to it. I am not even close to what I would consider and NT administrator nore a unix one but I know many and it seams that they agree NT is harder to administer. But either way each operating system has ups and downs but the problem with NT is that it is the biggest so people have to knock it. That is how we are.
--MD--
Re:"C2" and "security" (Score:2)
Re:Getting administrator rights in NT (Score:1)
I think the C2 certification is if the computer is not connected to a network and is physically placed in a secure location where unauthorized users are not allowed to enter. So most of what real-world sysadmins have to deal with is eliminated from consideration right off the bat.
-Graham
Re:Not connected to a network...? (Score:1)
Re:NT is average (Score:1)
> (i.e, 3rd-party software), because B2+ systems
> have EVERYTHING hard-wired at the
> BIOS (and I mean EVERYTHING).
This is patently untrue. You can read the specifications for B2 (red or orange book) and see that it is so. 3rd-party must simply be a part of the evaulation if it is to be a part of the Trusted Computing Base (TCB). For instance, TRW's DockmasterII code is under evaluation for B2 sitting on top of DG/UX's (also under evaluation) B2 version of Unix. B2 is indeed where things get serious, but it's all based on evaulation criteria in the orange or red books, and the TCB must enforce its rules, but the entire TCB of any modern computing system wouldn't fit into a BIOS.
The orange book is for stand-alone systems, the red book is for trusted networking implementations, and Data General is aiming for red book B2 - that means it's B2 with the network activated and even potentially sitting on the Internet.
For anyone interested in a Linux security project that aims to create a B-level security model, do a search for RSBAC, Mr. Ott has done a ton of good work in creating a real security model and protection mechanism for Linux at a level much higher than C2 which basicaly just means that you have to have an account to log in to the system.
Re:Interesting to test Linux or BSD (Score:1)
http://www.compuniverse.com/rsbac/ [compuniverse.com]
Don't expect it to be tested though - that's expensive. It does raise the bar to B level though.
Re:Linux security rating.. (Score:1)
Which begs the question "Why didn't Microsoft go after a *Red Book* C2 evaluation?" That *does* include networking.
If you're touting yourself as a network OS, you should go after a network rating IMO. Of course, that means the TCB has to extend into the network layer - and C2 isn't exactly a high bar.
So what are we waiting for ? (Score:1)
Re:C2 is the lowest security rating (Score:1)
Link doesn't work (Score:1)
Microsoft VBScript runtime error '800a000d'
Type mismatch 'CInt'
/security/inc/scripts.txt, line 279
Re:C2 is the lowest security rating (Score:2)
Previous propaganda on this issue mentioned two requirements which Linux apparently doesn't have - A SysRq key which puts the system in a secure mode (ctrl+alt+del on NT) and file and directory Access Control Lists.
But then on the other hand, you've say you've got C2-certified Slackware boxes, so what do I know!
--
Re:Getting administrator rights in NT (Score:3)
This is a prime example of Microsoft's one-size-fits-all engineering. The marketing impulse to allow users (or ActiveX controls) to install things that pop into your system tray (like AOL IM or Real) or nag you for registration has outweighed even the most obvious security considerations.
Certainly, this problem is easily fixed with Registry ACLs, but does the average NT Admin who has only read the glowing description of "C2 Security" in the MS manuals know that?
--
Not connected to a network...? (Score:2)
Can you publish this? (Score:2)
Computer Security Classifications (Score:4)
Paraphrased from "Operating Systems Concepts", the dinosaur book (5th ed.), there are four divisions of security model and several levels of each division. In order of increasing security they are:
As other posters have noted, you can't certify an operating system, just a particular installation of that OS on specified hardware at a particular site. So realistically the highest NT or Linux could be certified would be B3, and even that would require a lot of additions to the base system. Don't hold your breath.
Uhh... Now what about Linux? (Score:1)
Incidently, Trusted Solaris could probably get better than a C2 rating, and Secure HP-UX I believe, has earned a B3 rating.
But I think the Linux community should work on certifying Linux as at LEAST a C2 if it seriously hopes to compete with Microsoft's PR game... I mean, let's face it, MS may be making bogus claims, but the pity of it is, there are a lot of managers out there in the corporate world that actually buy MS's claims. I think the only way to fight fire is with fire.
Perhaps you shouldn't be a sysadmin (Score:1)
If you don't even know how to secure other users' profiles on an NT box, you don't really have any business talking about NT security, much less running an NT system. Making these sweeping statements about things you know nothing about honestly don't give me much faith in your ability to secure *nix boxes, either -- it's a good sign that instead of putting in some work to secure your system, you'll just fake your way through it and pray each night that the hackers don't have a field day on your ass. Good luck.
Another amusing note is that Slashdot, with that wonderful Linux security, has been hacked into at least once, while your pals at www.microsoft.com haven't.
Cheers,
ZicoKnows@hotmail.com
Benchmarks, Orange Book Considered Harmful (Score:1)
--------
Re:Not connected to a network...? (Score:1)
A computer that you can only access by sitting down in front of it can be kept under armed guard & video cameras. That tends to discourage hacking attempts.
Re:Not connected to a network...? (Score:1)
See "Trusted Computer System Evaluation Criteria, DOD standard 5200.28-STD" (better known as the Orange Book [tuxedo.org]) for details.
Re:Getting administrator rights in NT (Score:2)
NTFS - not that f**kin' secure.....
I guess it can't have a floppy drive either (Score:2)
utility [eunet.no].
This is bragging rights? (Score:1)
Sheesh.
Re:Interesting to test Linux or BSD (Score:1)
--
More info regarding NT C2 cert. from Infoworld (Score:4)
To summarize, MS obtained a C2 certification for NT3.5 SP3 on a stand alone system (no network connection) running specifically on a Compaq Proliant 2000 or 4000, or a DECpc AXP/150. They did this using the services of a security specialist named Ed Curry, who was a regular poster to the InfoWorld forums. Afterwards he contended that they misrepresented the status of the certification and tried to get him to do the same. He refused and they allegedly forced him out of business.
He posted regularly about his ongoing fight with MS until his death [infoworld.com] a month ago.
No network? (Score:1)
You must also make sure that the computer is not connected to a power supply.
C2 applies to individual systems not the OS itself (Score:5)
No OS can be C2 secure.
Only individual Systems can.
That's right. All that this rating means is that you can make it C2 secure out of the box as long as you follow certain restrictions on usage (locked room with limited access, no connection to a non-secure network). This is not the same as saying the OS itself is C2 secure. For example, if you plug in into a network and you are no longer Orange Box C2 secure. And there are other levels of C2 security, at least one allows you to connect to a secure network. I don't know how they certify networks beyond the fact that every machine must be accredited and that there are no connections to any other networks.
There are many OS's out there that aren't C2 secure out of the box, but can be if you make changes. NT4 is still like this in the US. Where I am at, there is an NT4 workstation in a secure area that is Accredited for Secret data. At first I thought someone made a mistake, but then I learned a little about the accredidation process and it turns out that there is a list of procedures on how to get it to pass certification.
Similarly, you can take a OS that is supposedly C2 secure and make it not C2 secure (by installing a modem, for example). C2 can only certify individual systems, it isn't a blanket statement that the OS itself is secure. As far as I know, there is no such blanket statement (but I'm not familiar with the B* security ratings, so it might exist).
Security targets (Score:1)
If you talk about that stuff with NT advocates ask them what has really been evaluated. The no network issue should be clear for most, but I wonder what else is missing (cant access the site right now). If they did the same thing as with 3.51, the the floppy will be missing as well. Anyone wiht half a brain then should understand what this is really worth (close to nothing IMNSHO).
Re:NT is average (Score:1)
Anything above B2 (including B2) does not allow extra components added to the system (i.e, 3rd-party software), because B2+ systems have EVERYTHING hard-wired at the BIOS (and I mean EVERYTHING).
B1 allows you to add components, but they often need to be certified in and of themselves (this would be like other hardware devices).
Re:Linux security rating.. (Score:1)
1)Microsoft's NT did not receive the certification. A system with NT running on it did.
2) Linux, since it is software, cannot be certified, either -- a system RUNNING Linux can
3) This certification means nothing more than "it's got a place on government Purchase Order forms
In fact, I'm of the belief that Microsoft PURPOSELY designed NT to be "C2" as opposed to "B1" so that it could be implemented in government workplaces.
Hence, 4) an "A1" rating may SOUND prestigious, but it "merely" means VERIFIED DESIGN -- to the last nick and cranny (those of us who have ever tried installing and implementing two or more GPL networking packages knows that Linux is NOT "A1" material)
Sorry to flame you; but from your tone it's obvious you want people to think you know what you're talking about -- and you certainly DO NOT !!
NT is average (Score:5)
C2 equates to 'CONTROLLED ACCESS PROTECTION'. All your software really needs to do to get this classification is require a user login, auditing of security events (read logging), and restricted resources. It doesn't require the system to actually STOP unauthorized activity.
The rating system is as follows:
A1 'VERIFIED DESIGN'
B3 'SECURITY DOMAINS'
B2 'STRUCTURED PROTECTION'
B1 'LABELED SECURITY PROTECTION'
C2 'CONTROLLED ACCESS PROTECTION'
C1 'DISCRETIONARY ACCESS PROTECTION'
'MINIMAL PROTECTION'
Notice NT's not very high in the list, of course few things are.
At http://www.radium.ncsc.mil/tpep/epl/epl-by-class.
Getting administrator rights in NT (Score:5)
First time I leared this, my mouth just dropped wide open.
Re:Cool. This probably means the DoD will adopt... (Score:1)
Some good news here is that DII-COE,the Common Operator Environment (its not common and dosn't operate), is being developed for NT - if its anything like the UNIX version (bloated, unstable, leaky, and confusing) it will make NT's performance so bad you'd think it was running on an XT.
Re:Linux security rating.. (Score:1)
Hellooooooo?!?!?!? Anyone wuth a brain in there?
Orange Book C2 ratings are explicitly defined as being WITHOUT A NETWORK CONNECTION.
Struth.
C2 is Bloat (Score:1)
This means that DLLs which share memory between multiple processes are not allowed. Everything you want to communicate to a system service must be sent through a message queue. Thus, a C2 system can guarantee no-one can exploit data from core files to break security.
Lack of C2 and microkernel architecture are, IMO, one of Linux's key strengths. C2 is a feature bullet that everyone pays the price for. Like one of the other posters said, its like ISO - you have it just to say you have it. Don't bloat my OS with it.
Win 00 is insecure too!! (Score:1)
Re:Getting administrator rights in NT (Score:1)
Notice the 3.51 designation (Score:2)
I found it very interesting, because Microsoft is >AUTOMATICALLY assuming that this rating carries to the new version when it doesn't. The paperwork states pretty plainly that it's only certified on the hardware tested, et. al.
Typical Microsoft Bullshit.
FYI, by the book 3.51 is slightly more secure becuase of the way the video subsystem was coded. Running at Ring 0, and all that. But a quick look on any of the security oriented sites shows that pretty much all of the major holes that exist in 4.0 exist in 3.51 so...
Honestly? It makes you wonder what type of smack they were using when they performed the test.
Which OS managed A1? (Score:1)
RB
Re: No Power Supply (Score:1)
Huh? (Score:1)
Re:Rebutting the furphy that NT is not multi-user (Score:1)
Nice page design (Score:1)
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'CInt'
/security/inc/scripts.txt, line 279
Nice job, micro$loth
C2 is Great PR! (Score:2)
How many of you think that a "Network Certification" (CNA, CNE, MCP, MCSE) reallly means anything? It is no guarantee to an employer, but it is helpful to a job applicant that needs an edge to stand out from the rest of the crowd! Likewise, Micro$oft has excelled at what it does best: Great PR! C2 Certification doesn't merit much technical praise, but its goal is not to impress technicians! When the procurement agent for a large organization has to shell out hundreds of thousands of dollars on OS software, which is easier to justify to the Pointy Haired Bosses? One with a "NSA Level C2 Security Rating" or one without it?
Not all OSes are created equal. NT certainly has a ton of weaknesses right out of the box. But so does every distribution of Linux, as well as every flavor of Unix (except specially modified versions known as "secure" or "trusted" UNIX). The common versions of Unix that populate most business and educational organizations are NOT the secure versions offered by their vendors. That is why they can be hacked so easily! But why didn't IBM release "Trusted OS/2 Warp 4"? And where is VA Research "Trusted Linux 9.0"? When will we see Dell/Red Hat's "Trusted Linux 7.0"? Although a C2 security rating isn't the greatest, it is NOT that easy to achieve! Or else, other OSes would be rated, too.
However, a C2-rated box is different from a reliable network. Regardless of the OS, what makes a network great is the work of a great administrator! I have happy customers running Linux and NT boxes. They smile, not because of the vendor's promises, but because of the knowledge I applied to their individual networks.
Work to make Linux better, including "C2 Certification", if needed! Don't waste time responding to every Micro$oft press release!
Linux security rating.. (Score:1)
Nah. Pitcairn or Chatham Is (New Zealand) (Score:1)
Re:Hmm... Hemos should read the articles first (Score:1)
E3 level testing which is UK based.
> Read the article - event the first sentence gives it away: "On April 28th, 1999, the UK Government announced...". Hemos is so busy Microsoft
bashing he forgot that the truth actually has some bearing in the matter.
You, on the other hand, are so busy bashing Hemos that you forget to even read what he has written! Or perhaps more accurately, what he hasn't. The entire post was quoted from a slashdot reader who mailed it in. The slashdot reader DID, in fact, say that it recieved the ITSEC rating, as did the title of the article. He only mentioned the TCSEC rating as a comparison for readers unfamiliar with the ITSEC ratings.
> To further prove his blatant incompetence in news reporting, he went on to say that it wasn't certified on a network. Again, this is blatantly false. A
single click from the Microsoft page gives this (at http://www.itsec.gov.uk/cgi-bin/cplview.pl?docno=
> "The evaluation of Microsoft Windows NT 4.0 excludes Exchange Server, System Management Server (SMS), MS Mail, remote access services
and Clipbook viewer. Domain based security functionality is included up to the transport driver interface; underlying network protocols and
architectures are excluded."
> Gee... Sounds like networking to me!!
> In fact, NT 3.51 is also rated at E3 level *with* network functionality (again Hemos can't get his facts right).
This is correct; however, it was the person who mailed in the story, not Hemos, who made the error. The quote from the reader is represented to be opinion, not fact.
> To put the icing on the cake for the worst reported article in slashdot history he goes on to mention a misconfiguration bug that has been around for
at least a few months now (fixes/workarounds etc. have been around for just as long).
Workarounds, yes - fixes to the underlying problem, no. This is not to say that I would've made the same argument - C2 security is about security concepts, not the actual security of a system. Major implementation problems like this aren't really within its scope.
> Look: If you want to be taken seriously then you have to dump on these losers who would make up the news to bag Microsoft than report the truth.
> If Hemos has any integrity left, he'll post a correction/retraction with what actually happened rather than leave his work of fiction up on the site.
Hemos did not write that posting or represent it to be his writing; Slashdot's stories frequently are quoted from users. Furthermore, the links are the substance of the story, not the personal opinions of the person who wrote it in. Your attitude towards Hemos is grossly inappropiate. Perhaps you should make some effort to understand what is represented to opinion and what is represented as fact, and react accordingly.
Hmm... Hemos should read the articles first (Score:1)
Read the article - event the first sentence gives it away: "On April 28th, 1999, the UK Government announced...". Hemos is so busy Microsoft bashing he forgot that the truth actually has some bearing in the matter.
To further prove his blatant incompetence in news reporting, he went on to say that it wasn't certified on a network. Again, this is blatantly false. A single click from the Microsoft page gives this (at http://www.itsec.gov.uk/cgi-bin/cplview.pl?docno=
"The evaluation of Microsoft Windows NT 4.0 excludes Exchange Server, System Management Server (SMS), MS Mail, remote access services and Clipbook viewer. Domain based security functionality is included up to the transport driver interface; underlying network protocols and architectures are excluded."
Gee... Sounds like networking to me!!
In fact, NT 3.51 is also rated at E3 level *with* network functionality (again Hemos can't get his facts right).
To put the icing on the cake for the worst reported article in slashdot history he goes on to mention a misconfiguration bug that has been around for at least a few months now (fixes/workarounds etc. have been around for just as long).
Look: If you want to be taken seriously then you have to dump on these losers who would make up the news to bag Microsoft than report the truth. If Hemos has any integrity left, he'll post a correction/retraction with what actually happened rather than leave his work of fiction up on the site.
Re:Load Of Bollocks (Score:1)
Back at you... (Score:1)
Prob #1: ITSEC is no worse than TCSEC, nor is it any better. It is apples and oranges. You imply that passing ITSEC/E3 is a breeze compared to TCSEC/C2. This is simply not true. They actually compared different things - ITSEC looks at operating systems (in this case) and TCSEC looks at a particular system from the hardware up.
Prob #2. NT 3.5 has as much to do with NT 4.0 as Linux 1.0 has to do with Linux 2.0. It shows the history of the system as secure and not just a patch added to make the current system pass. BTW - lots of people still use NT 3.51.
Prob #3. E3 security is *not* weakened by floppy, network card etc. Again, if you bothered to read the facts you would find that ITSEC/E3 has evaluated NT to include networking and domain level authentication.
If you guys want to be taken seriously, you really should start posting facts and stop making it up as you go along.
Re:Do you know what "excluded" means? (Score:1)
Look at the NT architecture. TDI is the interface to TCP/IP, IPX, NetBEUI, Appletalk and everything else on the network. What they are saying is that they are evaluating the security of NT, not the security of the protocols - which are pretty insecure on the most part.
So, to answer the question: Yes. I do know what "excluded" means.
Re:Hmm... Hemos should read the articles first (Score:1)
My apologies to Hemos on that count.
Also, I agree - the reader didn't say NT4 got C2. Damn these public forums for keeping me honest.
As for the "security hole" in NT - If you want to plug this one you can do a number of things. The most obvious is to disable posix and os/2 subsystems!! I believe this is documented well enough in just about every secure installation guide. If you don't care about users creating drive mappings you can change the permissions on the '??' object directory as well (which is identical to setting permissions on
I'm not convinced of the 'major implementation problem' yet.
Again, my apologies to Hemos. It really wasn't his fault the original mail was woefully inaccurate and more FUD than Fact.
Physical Access can blow security wide open anyway (Score:1)
What's really bad about this is not that Microsoft can get a rating for Windows NT, but that they don't seem to realise how limited it is.
any docs on using that exploit? (Score:1)
There is no builtin way to mess with the Object Tree in NT4. Even WinObj (www.sysinternals.com) doesn't let you actually edit the tree. Furthermore, the permissions can be reset with the proper kernel patches.
As to the complaints of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
NT was never intended to be a multi-user platform, at least in the traditional sense. It was designed so that different users could login and use the same programs, with their own unique preferences, _serially_, and carry those preferences to any other computer they used.
The biggest problem Ive found with NT is not inherent to the OS. It has to do with third-party parogrammers (and, sadly, some M$ programmers too) not programming with the assumption that the user will only have read access. Netscape, Corel, Adobe, M$ Office 95/97 (but not 2000), and most stat packages all require unacceptably high access to the registry and/or filesystem. (Most _require_ write access to non-user specific preferences files, or a few application-specific registry entries).
Give me apps that adhere to NT profile policies, and that can run in an entirely read-only environment, and you'd be surprised how secure I can make that workstation.
NT4 rated E3/F-C2 but what does this mean? (Score:1)
Note also that for NT they went for E3/F-C2 rather than the E2/F-C2 that the ITSEC says is intended to correspond to TCSEC class C2, and this brings in things like having to provide the evaluator with "Source code or hardware drawings for all security enforcing and security relevant components".
Under the TCSEC you did not have to show that a system was "relatively resistant to penetration" until B2 (corresponds to E4/F-B2) and ITSEC does not seem to have anything like this phrase - perhaps because it is meaningless and there is no way to test for something so vague. Passing the E3/F-C2 level of evaluation does not mean there are no ways to break in, and this is just as true of the Unixes that have been evaluated as it is for NT.
Another thing to note is that at least one version of Unix has been evaluated at the less stringent E2/F-C2, and many have not been evaluated at all.
Passing the evaluation is not really anything to boast about, but failure would have been embarrasing.
The limit for NT but the baseline for Unix (Score:1)
Says who?
I doubt if the vendors with E3/F-B1 evaluations would agree; Trusted Solaris from Sun for example. There have even been B3 (under TCSEC) rated systems that can reasonably be described as 'general purpose'.
Microsoft may think E3/F-C2 is hard - after all, Windows 95/98 do not have the required functionality.
NT passed, Microsoft have a right to say it did. That Microsoft thinks this is the highest NT can go is the interesting point - most versions of Unix don't go any higher, but there are several examples to show that they can if the vendor is prepared to put in the effort (and pay for an evaluation).
Re:"C2" and "security" (Score:2)