TheRegister: NT scales C2 security heights -- but what about Win2k?Dec 08, 1999, 14:40 (16 Talkback[s])
(Other stories by Tim Richardson, Linda Harrison)
"Microsoft announced this week that it has received Orange Book C2 certification for NT 4.0, and FIPS 140-1 validation of the cryptographic services in Windows 95, Windows 98, NT 4 and Windows 2000. Microsoft says that "customers now have formal, third-party verification of the security" of these operating systems. Microsoft also said that "C2 is generally acknowledged to be the highest rating a general-purpose operating system can achieve", something that it has said before, but in different context, as we shall see."
"First let's recap on these coloured books. The US Department of Defense, through the US National Computer Security Center (NCSC, part of the National Security Agency), has a series of "rainbow" books, known as the DoD Trusted Computer System Evaluation Criteria. The Orange Book defines the criteria, but the Red Book is an interpretation of the Orange Book. The Red Book came about because the Orange Book was inadequate with regard to networking. There is also a Blue Book for advanced systems. The criteria are hopelessly out-of-date in many respects, because it takes so long for security organisations to develop standards."
"The only C2 security that Microsoft had previously received was Orange Book for Windows NT 3.5 (not 3.51) - but it was required that networking was disabled, that the floppy disk drive was disabled, and that the standard file system permissions were changed to be very restrictive, along with many permissions in the registry. Some cynics compared the process with castration. At the time, Enzo Schiano, a Windows NT Server product manager also noted that C2 presumes that the PC is kept locked away from unauthorised users since it was only necessary to remove the hard disc to get access to all the data."