Slashdot Mirror
NT4 awarded E3/F-C2 security classification
An anonymous reader wrote in to say "Microsoft has announced that NT was awarded this security classification, equivalent to the US C2 security classification, under the ITSEC, the UK's IT Security Evalutaion Criteria. As with the NT 3.5 C2 rating, this doesn't include being connected to a network.
This is interesting, given that any local user on NT 3.5 or above server or workstation can become a member of the administrators group, which is not a Good Thing for a secure system... "
It specifically says that each site has the ability to inspect the source code used in all components of the system. I wonder if M$ is going to allow a copy of the source code to be delivered to each site that applies for an E3/FC-2 rated system. Where I work has a security clearance, but we don't currently have any NT machines in the secure areas. I wonder what would happen if I asked for one :-)
C2 has never struck me as being so much about "security" as it is about "accountability".
:)
While I generally love to pick on Micros~1 products, I think we're picking on the wrong people-- the DoD and the UK ITSEC.
The big reason NT is C2 rated is not because you can't break in (good thing-- you can!) -- it's because Administrator can't muck with your files without taking ownership of 'em himself. Or, well, that's what Micros~1 claims.
So when your files get mucked with, you can tell, because they ain't your file anymore. And you know who owns it now (Administrator can't give 'em back, according to the docs), so you know who (or, well, which account...) did it.
So yeah, NT probably _is_ C2 compliant. It's just that from a security standpoint, C2 doesn't mean diddly. That's not Micros~1's fault, that's the fault of our dain-bramaged government. The same folks who tell you that PGP is a munition.
With so many idiots running around, it's hard to tell which is which...
Those `organizations' should stop certifying
C2. It provides little value, and it misleads
a lot of people into thinking their systems
are secure.
If they truly believe in their mission, it's
immoral to be accomplices in such a scam.
I went through B1 certification, and I'm telling you the people doing the certification didn't know what the heck they were doing. They had good intentions and everything, but they just didn't have it.
The problem that I saw during our certification is that the kids they hire do the work just didn't have the background to do the work. There were a number of HUGE security holes (writing to the password file, in three different ways) that I found after the product was supposedly certified.
The certification process is just busy work for people who want a rubber stamp on something to make them feel better. Just like that ISO 9000 junk.
Basically, the C2 rating is about as low as you can go. Any *nix machines which are not connected to a network are automatically C2 rated.
The rating talks about single user access, the ability to recognize when a document has been looked at or modified (atime and mtime file attributes), a logging/audit system to show what has happened on a system (syslog, sulog), and the ability for one user to not look at or modify another users files (chmod, chown, chgrp). There also has to be a way to physically secure the machine, hence no external communication devices (network or modem). It must be physically secured in a lockable room in a building which also meets certain physical access requirements (security guard and wearing badges).
Thats it. Nothing special.
But it took some work to make a special version of NT to meet this rating. Read the article, they talk about how the administrator cannot change the permissions of a file back to the original owner, that is the one thing they broke to get the rating.
Anyone who actually has to buy equipment that is rated for Orange Book levels will not be impressed by this (most will laugh at it), but this was published by microso~1 PR and marketing to impress those who don't know anything about security. File this one under FUD.
If you remove the network card and modem from your linux box, and ensure that every account has a password and turn on accounting, your box can also be declared C2 rated. I have a C2 rated room next door with a number of Slackware machines running standalone, with their little C2 certificates in a pouch on the side.
You can secure any registry node - it simply follows the NT security rules. Whether it comes secure as default I don't know, but I didn't want you to continue believing that any user always has full access to the registry - it's not true.
,hacker Perl another Just)'
perl -e 'print scalar reverse q(\)-:
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I can't believe that Microsoft has the balls to blatantly try to compare ITSEC to TCSEC, and then relate that to their product.
Problem #1: Just because two grades of security are nearly equivalent, does not mean you can interpret that everything (or anything, actually) that applies towards one has the same meaning towards the other. You either have a C2 rating, or you don't have a C2 rating. I'm pretty sure that if I ran a computer store, and had a bunch of technicians who had graduated from the local community college specializing in desktop PC construction and repair, that I would be in the middle of a lawsuit if I tried to advertise that that was equivalent to an A+ Certification.
Problem #2: On MicroSoft's blurb page, they list the certification level of NT 3.5. Who uses that anymore? What does it have to do with 4.0?
Problem #3: Finally, the big issue is that the level of certification they claim to have reached is not just weakened, but completely invalid if the machine has a network card, modem, or other remote access device in it, or even something as simple as a floppy drive. What do people who would be attracted to this kind of jibber-jabber get NT for? So they can put their super-secret company resources on a network and have it be "safe".
I have seen Microsoft do some lame things to try to make their product look like more than it really is, but this insults my intelligence as a professional.
On this stock NTS4 SP4 box the Run key is Everyone = Set Value, so mhm23x3's comment is probably correct for 80%+ of the NT boxes out there.
This is a prime example of Microsoft's one-size-fits-all engineering. The marketing impulse to allow users (or ActiveX controls) to install things that pop into your system tray (like AOL IM or Real) or nag you for registration has outweighed even the most obvious security considerations.
Certainly, this problem is easily fixed with Registry ACLs, but does the average NT Admin who has only read the glowing description of "C2 Security" in the MS manuals know that?
--
Business. Numbers. Money. People. Computer World.
So it's C2 when it's not connected to a network. But any system which you have physical access to is inheirently insecure (reboot w/ a boot disk, open up the box and remove the hdd, and so on). Maybe it's just me but this kinda seems like a bit of an oxymoron. Why not remove the monitor and keyboard too while your at it? Hey, remove the power cord, and lock the box in a safe. Then no one will be able to hack it.
-matt
I know that C2 doesn't mean much, but could you publish publicly this info that you have a bunch of standard slackware Linux boxes that have a C2 rating? It would be nice publicity for Linux, especially for those who have no idea what any of C2 security means.
They laughed at Einstein. They laughed at the Wright Brothers. But they also laughed at Bozo the Clown. -- C. Sagan
Paraphrased from "Operating Systems Concepts", the dinosaur book (5th ed.), there are four divisions of security model and several levels of each division. In order of increasing security they are:
As other posters have noted, you can't certify an operating system, just a particular installation of that OS on specified hardware at a particular site. So realistically the highest NT or Linux could be certified would be B3, and even that would require a lot of additions to the base system. Don't hold your breath.
Your right to not believe: Americans United for Separation of Church and
You can lock users out of the registry, but creating a .reg file and merging it will do the same if you know the syntax. Additionally, you could put anything you want in the startup group and power-cycle it, make changes to the autoexec.bat/autoexec.nt, boot from a dosntfs floppy (if ntfs is enabled), or there's the getadmin exploit.
NTFS - not that f**kin' secure.....
check this out nice
utility.
c7five
The topic of NT's C2 certification comes up on InfoWorld from time to time. Nick Petreley wrote an editorial and hosted a discussion forum about this in July 1998.
To summarize, MS obtained a C2 certification for NT3.5 SP3 on a stand alone system (no network connection) running specifically on a Compaq Proliant 2000 or 4000, or a DECpc AXP/150. They did this using the services of a security specialist named Ed Curry, who was a regular poster to the InfoWorld forums. Afterwards he contended that they misrepresented the status of the certification and tried to get him to do the same. He refused and they allegedly forced him out of business.
He posted regularly about his ongoing fight with MS until his death a month ago.
NT 3.51 (or was it 3.5) was C2 secure, it was only a matter of time before NT4 would be. And lets get a few things straight:
No OS can be C2 secure.
Only individual Systems can.
That's right. All that this rating means is that you can make it C2 secure out of the box as long as you follow certain restrictions on usage (locked room with limited access, no connection to a non-secure network). This is not the same as saying the OS itself is C2 secure. For example, if you plug in into a network and you are no longer Orange Box C2 secure. And there are other levels of C2 security, at least one allows you to connect to a secure network. I don't know how they certify networks beyond the fact that every machine must be accredited and that there are no connections to any other networks.
There are many OS's out there that aren't C2 secure out of the box, but can be if you make changes. NT4 is still like this in the US. Where I am at, there is an NT4 workstation in a secure area that is Accredited for Secret data. At first I thought someone made a mistake, but then I learned a little about the accredidation process and it turns out that there is a list of procedures on how to get it to pass certification.
Similarly, you can take a OS that is supposedly C2 secure and make it not C2 secure (by installing a modem, for example). C2 can only certify individual systems, it isn't a blanket statement that the OS itself is secure. As far as I know, there is no such blanket statement (but I'm not familiar with the B* security ratings, so it might exist).
This is really not a very good rating, just average.
h tml you can read some brief info on these classifications. If you want info coming out the whazoo on this kind of thing browse around http://www.radium.ncsc.mil/
C2 equates to 'CONTROLLED ACCESS PROTECTION'. All your software really needs to do to get this classification is require a user login, auditing of security events (read logging), and restricted resources. It doesn't require the system to actually STOP unauthorized activity.
The rating system is as follows:
A1 'VERIFIED DESIGN'
B3 'SECURITY DOMAINS'
B2 'STRUCTURED PROTECTION'
B1 'LABELED SECURITY PROTECTION'
C2 'CONTROLLED ACCESS PROTECTION'
C1 'DISCRETIONARY ACCESS PROTECTION'
'MINIMAL PROTECTION'
Notice NT's not very high in the list, of course few things are.
At http://www.radium.ncsc.mil/tpep/epl/epl-by-class.
First time I leared this, my mouth just dropped wide open.
No sig.
I don't know if you noticed guys. But the only version they certified were 3.51. NOT 4.0
I found it very interesting, because Microsoft is >AUTOMATICALLY assuming that this rating carries to the new version when it doesn't. The paperwork states pretty plainly that it's only certified on the hardware tested, et. al.
Typical Microsoft Bullshit.
FYI, by the book 3.51 is slightly more secure becuase of the way the video subsystem was coded. Running at Ring 0, and all that. But a quick look on any of the security oriented sites shows that pretty much all of the major holes that exist in 4.0 exist in 3.51 so...
Honestly? It makes you wonder what type of smack they were using when they performed the test.
Everyone knows that a C2 security rating is low on the list. But frankly, Micro$oft has taken the time (and money) to do something that other vendors should also do.
How many of you think that a "Network Certification" (CNA, CNE, MCP, MCSE) reallly means anything? It is no guarantee to an employer, but it is helpful to a job applicant that needs an edge to stand out from the rest of the crowd! Likewise, Micro$oft has excelled at what it does best: Great PR! C2 Certification doesn't merit much technical praise, but its goal is not to impress technicians! When the procurement agent for a large organization has to shell out hundreds of thousands of dollars on OS software, which is easier to justify to the Pointy Haired Bosses? One with a "NSA Level C2 Security Rating" or one without it?
Not all OSes are created equal. NT certainly has a ton of weaknesses right out of the box. But so does every distribution of Linux, as well as every flavor of Unix (except specially modified versions known as "secure" or "trusted" UNIX). The common versions of Unix that populate most business and educational organizations are NOT the secure versions offered by their vendors. That is why they can be hacked so easily! But why didn't IBM release "Trusted OS/2 Warp 4"? And where is VA Research "Trusted Linux 9.0"? When will we see Dell/Red Hat's "Trusted Linux 7.0"? Although a C2 security rating isn't the greatest, it is NOT that easy to achieve! Or else, other OSes would be rated, too.
However, a C2-rated box is different from a reliable network. Regardless of the OS, what makes a network great is the work of a great administrator! I have happy customers running Linux and NT boxes. They smile, not because of the vendor's promises, but because of the knowledge I applied to their individual networks.
Work to make Linux better, including "C2 Certification", if needed! Don't waste time responding to every Micro$oft press release!