FYI - C2 certifications are configuration dependent. What was the
configuration that passed this evaluation? How much was the standard
installation modified to meet C2? Did the configuration include a network
connection? A RAS connection? A floppy disk drive? Who performed the
evaluation? Was it an operational test or a paper compliance? Did it
include any noted exceptions? Last I heard and it was sometime ago, NT did
not do object reuse properly.
SCO Unix passed C2 but only in a diskless configuration. A point that SCO
failed to mention in their certification announcement.
The box would not pass if it had a disk drive installed because it could be
booted on the install media, interrupted and the user
would have root privilege access to the file systems. This fails the basic
C2 access control requirement.
I wonder what would happen if I boot a NT server on DOS and ran the mount
NTFS utility? What level of access would I have to the file systems?
Beware the spin-masters of marketing, things are not always what they seem.
> -----Original Message-----
> From: Don Kelloway [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, June 02, 1999 5:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Why not NT?
>
> Sure, I think we can all agree that an "out-of-the-box" default NT
> installation is far from being considered secure.
>
> But IMO, I think people are either forgetting or overlooking the fact that
> the Windows NT4 op/sys can be made "C2" and "E3/F-C2" secure and that the
> installation of a properly configured NT-based firewall on top of such a
> system can provide an equally solid, stable, security solution as any
> other...
>
> For those who aren't familiar with the acronyms mentioned above:
>
> "E3/F-C2" is widely acknowledged to be the highest ITSEC evaluation rating
> that can be achieved by a general-purpose operating system and "C2" is
> widely acknowledged to be the highest TCSEC evaluation rating that can be
> achieved by a general-purpose operating system.
>
>
> With regards to NT4's "E3/F-C2" compliance, here's a brief summary:
>
> On April 28th, 1999, the UK Government announced that Microsoft� Windows
> NT�
> Server and Workstation 4.0 had completed a successful evaluation under the
> ITSEC regime at the E3/F-C2 level. E3/F-C2 is widely acknowledged to be
> the
> highest ITSEC evaluation rating that can be achieved by a general-purpose
> operating system.
>
> For the rest, see
> http://www.microsoft.com/security/issues/e3fc2summary.asp
>
>
> Although NT4 is in the process of achieving C2 certification, here's a
> brief
> summary:
>
> On October 2nd, 1998, Microsoft completed a significant milestone in the
> evaluation of Microsoft� Windows NT� Server and Workstation 4.0 against
> the
> C2 requirements of the US Government's Trusted Computer System Evaluation
> Criteria (TCSEC). C2 is widely acknowledged to be the highest TCSEC
> evaluation rating that can be achieved by a general-purpose operating
> system.
>
> For the rest, see http://www.microsoft.com/security/issues/c2summary.asp
>
>
> In closing and for those who may be unaware, there *are* established
> procedures available to insure that the NT4 op/sys can be made ITSEC
> E3/F-C2
> compliant. Just download the following document at
> http://www.microsoft.com/security/downloads/ITSEC_NT4.0_Installation.EXE
>
>
> Best Regards,
> Donald Kelloway
> Escalations Engineer
>
> Elron Software, Internet Products Division
> One Cambridge Center, 11th Floor
> Cambridge MA 02142
> 800-767-6683 or 617-914-5000
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
