NT4 awarded E3/F-C2 security classification

An anonymous reader wrote in to say "Microsoft has announced that NT was awarded this security classification, equivalent to the US C2 security classification, under the ITSEC, the UK's IT Security Evalutaion Criteria. As with the NT 3.5 C2 rating, this doesn't include being connected to a network. This is interesting, given that any local user on NT 3.5 or above server or workstation can become a member of the administrators group, which is not a Good Thing for a secure system... "

C2? Ha!

You can poop in a box and get it certified C2. There's no real heavy "security" involved beyond passwords and keeping people out of each other's stuff on the system.

I went through B1 certification, and I'm telling you the people doing the certification didn't know what the heck they were doing. They had good intentions and everything, but they just didn't have it.

The problem that I saw during our certification is that the kids they hire do the work just didn't have the background to do the work. There were a number of HUGE security holes (writing to the password file, in three different ways) that I found after the product was supposedly certified.

The certification process is just busy work for people who want a rubber stamp on something to make them feel better. Just like that ISO 9000 junk.

C2 is the lowest security rating

Basically, the C2 rating is about as low as you can go. Any *nix machines which are not connected to a network are automatically C2 rated.

The rating talks about single user access, the ability to recognize when a document has been looked at or modified (atime and mtime file attributes), a logging/audit system to show what has happened on a system (syslog, sulog), and the ability for one user to not look at or modify another users files (chmod, chown, chgrp). There also has to be a way to physically secure the machine, hence no external communication devices (network or modem). It must be physically secured in a lockable room in a building which also meets certain physical access requirements (security guard and wearing badges).

Thats it. Nothing special.

But it took some work to make a special version of NT to meet this rating. Read the article, they talk about how the administrator cannot change the permissions of a file back to the original owner, that is the one thing they broke to get the rating.

Anyone who actually has to buy equipment that is rated for Orange Book levels will not be impressed by this (most will laugh at it), but this was published by microso~1 PR and marketing to impress those who don't know anything about security. File this one under FUD.

If you remove the network card and modem from your linux box, and ensure that every account has a password and turn on accounting, your box can also be declared C2 rated. I have a C2 rated room next door with a number of Slackware machines running standalone, with their little C2 certificates in a pouch on the side.

C2 applies to individual systems not the OS itself

[swilly]

NT 3.51 (or was it 3.5) was C2 secure, it was only a matter of time before NT4 would be. And lets get a few things straight:

No OS can be C2 secure.
Only individual Systems can.

That's right. All that this rating means is that you can make it C2 secure out of the box as long as you follow certain restrictions on usage (locked room with limited access, no connection to a non-secure network). This is not the same as saying the OS itself is C2 secure. For example, if you plug in into a network and you are no longer Orange Box C2 secure. And there are other levels of C2 security, at least one allows you to connect to a secure network. I don't know how they certify networks beyond the fact that every machine must be accredited and that there are no connections to any other networks.

There are many OS's out there that aren't C2 secure out of the box, but can be if you make changes. NT4 is still like this in the US. Where I am at, there is an NT4 workstation in a secure area that is Accredited for Secret data. At first I thought someone made a mistake, but then I learned a little about the accredidation process and it turns out that there is a list of procedures on how to get it to pass certification.

Similarly, you can take a OS that is supposedly C2 secure and make it not C2 secure (by installing a modem, for example). C2 can only certify individual systems, it isn't a blanket statement that the OS itself is secure. As far as I know, there is no such blanket statement (but I'm not familiar with the B* security ratings, so it might exist).

NT is average

[Versalis]

This is really not a very good rating, just average.

C2 equates to 'CONTROLLED ACCESS PROTECTION'. All your software really needs to do to get this classification is require a user login, auditing of security events (read logging), and restricted resources. It doesn't require the system to actually STOP unauthorized activity.

The rating system is as follows:

A1 'VERIFIED DESIGN'
B3 'SECURITY DOMAINS'
B2 'STRUCTURED PROTECTION'
B1 'LABELED SECURITY PROTECTION'
C2 'CONTROLLED ACCESS PROTECTION'
C1 'DISCRETIONARY ACCESS PROTECTION'
'MINIMAL PROTECTION'

Notice NT's not very high in the list, of course few things are.

At http://www.radium.ncsc.mil/tpep/epl/epl-by-class.h tml you can read some brief info on these classifications. If you want info coming out the whazoo on this kind of thing browse around http://www.radium.ncsc.mil/

Getting administrator rights in NT

[mhm23x3]

It's pretty simple when any user can access and change the registry. Just put an entry in HKEY_Local_Machine/Software/Microsoft/Windows/Curr ent_version/Run - You can run whatever you want at startup, regardless of user privledge.

First time I leared this, my mouth just dropped wide open.