Slashdot Mirror
Windows NT 4.0 C2 Evaluation finished
DevNu11 writes "Windows NT 4.0 SP6a + Hotfixes + Trusted configuration finished evaluation under the
TCSEC program. This page has a configuration guide for deploying a system in a C2-evaluated configuration. A text on the bottom of the page points out the differences of NT being secure and that someone could configure NT to be secure."
Give me a break-- the whole NSAKEY thing is most likely benign. And even if you believe differently, you can change the second damn key.
However, I'd say this adds some light to the subject.
Part of the C2 evaluation process is "Fix bugs. Repeat." Perhaps the testers found some sort of minor bug in the source code that could only be corrected by the addition of a new key (or that could be fixed *most easily* by the addition of a new key). Microsoft adds the key to appease the testers (who happen to work for a branch of the NSA). What's the logical variable name for the key? NSAKEY.
Is this a plausible explanation?
If Linux had gotten C2 certification then everybody would be happy and say how good it was. Now that NT got it everybody is trying to shoot it down. How about talking how Microsoft could improve it... I know most readers of slashdot are pro-linux anti-microsoft people but because one OS got something you dont have to start bagging on it
Procedure for C2 NT installation, from the doc:
Unpack and set up hardware
Set power-on password
Install Windows NT
Restart Windows NT as Administrator
Verify video driver
Install Printer and Tape Drivers
Install Service Pack 6a
Install C2 Update (KB Q244599, Q243405, Q243404, and Q241041)
Enable hardware boot protection
Remove the NetBIOS Interface service
Disable unnecessary devices
Disable unnecessary services
Disable Guest account
Remove OS/2 and POSIX subsystems
Secure base objects
Secure additional base named objects
Protect kernel object attributes
Protect files and directories
Protect the registry
Restrict access to public Local Security Authority (LSA) information
Restrict null session access over named pipes
Restrict untrusted users' ability to plant Trojan horse programs
Disable caching of logon information
Allow only Administrators to create shares
Disable direct draw
Restrict printer driver installation to Administrators and Power Users only
Set the paging file to be cleared at system shutdown
Restrict floppy disk drive and CD-ROM drive access to the interactive user only
Enable NetBT to open TCP and UDP ports exclusively
Modify user rights memberships
Set auditing (if enabled) for base objects and for backup and restore
Disable blank passwords
Restrict system shutdown to logged-on users only
Set security log behavior
Restart the computer
Update the Emergency Repair Disk
No POSIX, eh? I can understand most of the mods, but to me it seems like the machine pretty much becomes a dumb terminal after all of this.
sulka
"Although it is not true that all conservatives are stupid, it is true that most stupid people are conservative."
Remember, there is also a difference of _Linux_ being secure and that someone could configure Linux to be secure. No matter how much more secure Linux or NT is than the other, both operating systems must be set up correctly. That includes applying updates. I personally highly doubt that any Linux distros could receive C2 right out of the box.
Washington, DC: It's like Hollywood for ugly people.
evaluated C2 configuration.
On the subject of OpenBSD, I'll quote Theo from misc@openbsd:
> You know what C2 means?
>
> It means you have ACLs, and you log a number of > system events.
>
> So ACLs and syslog.
>
> Really.
>
> Oh, except you also need GOBS AND GOBS OF MONEY to get it certified.
>
> In my opinion, ACLs are just a way for system adminstrators to shoot themselves in the foot.
I wouldn't look for a rating of this sort in OpenBSD.
While I think general consensus is that NT's C2 certification is pretty useless (it has to be configured in a way to make it of even less use than normally), it still puts NT on the scoreboard when compared against Linux.
-- As long as the answer is right, who cares if the question is wrong?
People...
Please understand the difference between "certification" and "evaluation" before foaming.
A particular installation of a software product on a machine and its particular physical environment can be certified at a particular level while the software product itself cannot be certified.
One could take a B2 evaluated "Trusted Information Systems, Inc. Trusted XENIX 3.0" and install it in a particular physical environment and have that installation certified at B2 or whatever level one can afford. The same "Trusted Information Systems, Inc. Trusted XENIX 3.0" can also be installed on a public machine with little yellow stickers on it with logins and passwords, and, while "Trusted Information Systems, Inc. Trusted XENIX 3.0" remains evaluated at a B2 level, the particular installation would probably not recieve the same B2 (or any) certification.
Security ratings are just like MHz ratings for CPU's. There are way too many parameters to take into account that a single number/certificate doesn't mean a whole lot.
In the CPU world, MHz ratings make sense only within the same family of processors: a system running 450MHz i586 can be safely said to be faster than a system running a 333MHz i586. (Even then it's not a reliable measure.) But you cannot compare, say, a 450MHz i586 and a 350MHz RS4000 -- you might say, well, the Intel must be faster since it has a faster cycle. But what if the RS4000 can do in 10 instructions what takes 100 instructions on the Intel? Well, if it were a 350Mhz RS4000 and a 450MHz RS4000, we'd know the latter is faster, but it's very hard to compare across different processor families.
Same thing goes for certification. In the NT world, the system is more or less uniform across all deployments, so a certification for it makes sense (just like comparing MHz ratings for one particular family of processors). But now in the Linux world, there are just way too many different configurations. Treat each distro as the equivalent of "processor family" if you will, to draw the analogy. What does a rating on, say, a typical RH6 installation mean to other Linux distros, or even other versions of RedHat? Two different Linux installations can be so different that a certification only makes sense if you stick with one particular distro, one particular release of that distro, and even the same configuration used in the certification process.
What I'm trying to say is, certification is useful only when you're comparing static, non-changing systems. The term "Linux" encompasses too much -- it makes no sense to "certify Linux" and think that the certification gives an accurate picture of security on Linux.
And then, you have the human factor to account for. Everybody knows that the most "secure" system can be the most vulnerable if the sysadmin doesn't know what he's doing. In a way, security certifications like this should be taken with a grain of salt -- just because NT, or even Linux, is "certified to be secure", doesn't mean that you can now just go to the store, buy a copy of the system, install it, and you automagically gain the same security as the certification says. Absolutely not -- you must hire a competent system administrator before your system has any degree of reliable security. Doesn't matter if your NT or Linux box is "certified" to be C2 or C3 or C-whatever, all that guarantees nothing unless you have the right person behind the machine.
"There is no such thing as out-of-the-box security. If it's out-of-the-box, it's not secure."
mikre he sophia he tou Mikrosophou.
The entire certification process just becomes a tool to spread FUD. Fear that anything that doesn't carry certification will be broken into. Uncertainty that anything else could be better. Doubt that they could be wrong.
Given that, getting a particular distro certified would do the Linux community good. It doesn't matter that the kernel will become out of date. It doesn't even matter that it might be a stripped down disto that can't do everything. What would matter is that one could say "Linux is C2 certified".
Perhaps VA could partner with one of the commercial distros to create a system that could be certified.
Bleh!
>The article is dated a year ago. From the site:
>Last updated: December 02, 1998
That's exectly what I noticed (others who went there were using IE?) with Netscape on Linux.
I have been told that some companies have gone back one year just to counter the effects of the y2k bug. This could mean that (possibly) the web site sections of microsoft might have decided to set their year as 1998 (Since it's not such a critical dept) and go on. I did see the 1998 as well, wonder why others dont see it.
--
Do these security evaluations take into account things like buffer overflows? I know when we were getting DG/UX rated for B2, we weren't really on the look-out for that sort of thing. There could have been some strcpy's in the C library that we didn't catch...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Linux 2.[123] have a SAK (SysRq-k)
--------
"I already have all the latest software."
I'm picturing a checkbox labelled "Allow untrusted users to plant Trojan horse programs" :) of course, it defaults to off except for when you set Office to 'Active Content' :)
A well-designed MAC system doesn't interfere with normal work, as long as your normal work doesn't involve kernel hacking or developing trusted applications, or developing networking applications beyond a limited scope. But basic user-level stuff can be very normal.
MAC systems actually made doing system security much easier. You put the operating system files at Security Level 0, and make all the users live at Level 1 or higher (e.g. UNCLASSIFIED), and the no-write-down MAC enforcement means that users can't mess with any critical files, and can't mess with kernel-written logfiles. Other log files can go at System High (if you're not running with stricter No-Write-Up rules) so user-level processes can write to them, but can't read them, or just use a separate security compartment to put them in.
AT&T System V/MLS accomplished most of this by munging the Group ID mechanisms to carry MAC information, both for security levels (UNCLASS, SECRET, etc) and for security compartments (PROJECT X, NUKES, CIA, COMSEC, etc.) This was back in the 80s, and it was the first Unix system to be B1-rated.
What about Superuser? Some B1 systems kept it, and just did a lot of work to limit bugs and damage, while some split it up into multiple less-super users. AT&T System V/MLS kept it. The B2 Least Privilege requirements make it much more difficult to avoid ripping root apart; I don't know what current B2 systems do. Covert Channels are the nasty part of B2 ratings - it was hard enough to hide subtle timing channels and things like that back when machines were much slower - now there's enough horsepower to play even more games, and I'm not convinced a general-purpose machine can do a good job of blocking them.
Secure Attention Key wasn't originally a C2 requirement; it was either B2 or B3, but it's easy enough to implement and solves enough other problems that everybody does it.
Secure Networking was still hairy research back when I was working with this stuff. The problem is that a network really just sends bits back and forth, and you have to be able to use those bits in a way that you can prove who's on the other end of the wire, what they're authorized to do, and that nobody else is doing something unauthorized with the bits you're sending. It's an obvious job for crypto, but that wasn't very usable back then except for DES chips and NSA secret custom stuff. The main technologies people were developing at the time were IPsec-like encrypted ethernets, usually with DES hardware on the ethernet cards, where the crypto primarily provided authentication. Putting crypto on the cards means the security features don't depend on the operating system - this means you can run a multi-level network with single-level dumb MSDOS machines, and worry about how to integrate multi-level OS's separately. (The crude way to integrate a multi-level OS into this system is to use multiple Ethernet boards, one per security level, and use OS protections to limit which boards get to be which security level.) But it's still a hard problem - TCP/IP living in the kernel is much harder to secure than UUCP living in user space.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
So this says, through a finite amount of configuration work, you can get NT to a set amount of security. This doesnt even tell you whether it would be remotely feasible to do this.
Also, I am curious how NT fulfills the auditing requirements... How the hell can I find out what user deleted a certain file? Perhaps I am just stupid, but I never saw any hidden option to log absolutely everything on the system. (Something like a journalling file system comes to my mind here)
The article is dated a year ago
I don't know where you saw that. At the top of the page it clearly says:
Last Updated: December 02, 1999
(emphasis added)
Your comments welcome!
Wrong.
/. articles? Especially when you are wrong?
The article discusses post-SP6/SP6a hotfixes that were released recently. SP6 itself was released in November 1999.
Don't you have something better to do than bitch about the relevancy of
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
How about making a contribution to the Linux NTFS driver community in return? ;-)
m . I'm not sure if this prevents you from reading a file name, though.
MS is implementing file system encryption in the next version of NTFS, see http://www.microsoft.com/msj/1198/ntfs/ntfstop.ht
Take the unproven assertion that Microsoft made a deal with the NSA, add a mix of anti-NT bias (gee, it could *never* have made C2 on it's own merits!), and poof, we have conspiracy theory!
Perhaps you wish to imply that *all* C2 rated OS makers made deals with the NSA? Maybe they all have "backdoors" too, and you just don't know it?
Anyway I don't see jumping to conclusions as necessarily "insightful."
-------------
The following sentence is true.
The following sentence is true. The preceding sentence was false.
"What would it take for Linux to get a C2 rating?"
Well, we certainly are doing well in the security arena. Open Source allows us to fix a number of bugs, and to identify trouble spots before they become vulnerabilities. Also, Linux has a hell of a lot of people that will back up its security when properly configured.
But here's the problem: Define Linux.
Okay, let's say we want to get Linux certified at the C2 level. Well, that's just fine and dandy. Are we going to just submit the kernel? Or are we going to submit programs (bash, mount, losetup, etc.), too? If so, what versions? Are we going to submit an entire distribution?
It wouldn't be possible to get a C2 rating for Linux in general. There are too many different distributions, platforms, bugfixes, and updates out there to get a handle on-- the best we can do is rate a particular version (at a particular bugfix level) of a particular distro. So, just because (say) RH 6.0 gets a C2 rating doesn't mean that Slackware 3.6 is less, more, or just as secure.
Even if we do get a version of Linux (in general) rated (for the sake of argument here, let's go with the idea), what about the next version? Microsoft is gonna have to go through the program again with W2K. Figure that we went from kernel version 2.2.0 to 2.2.13 in a space of less than a year-- and 2.2.14 is due out soon. It would be pointless to try this, because we would wind up constantly having to get it re-tested.
And let's not even talk about the price of such testing.
In other words: Forget about government security ratings for Linux. It's too dynamic to be given a static rating. It's also very reliant on the operator (as is NT, but that *seems* less obvious to most people).
AFAIK, when they went for 3.51 security it was not connected to a network; however this _appears_ to be with the system connected to a network:
Server operating as primary domain controller
Server operating as backup domain controller
Server operating as a member server
Server operating as a non-member server
Workstation as a domain member
Workstation as a non-domain member
Like the previous poster I'd like to know what it would take for Linux to be submitted for evaluation. With encrypted filesystems it may stand a chance of a better rating....
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
From the TSCEC FAQ page:
The Trusted Computer System Evaluation Criteria (TCSEC) is a collection of criteria that was previously used to grade or rate the security offered by a computer system product. No new evaluations are being conducted using the TCSEC although there are some still ongoing at this time. The TCSEC is sometimes referred to as "the Orange Book" because of its orange cover. The current version is dated 1985 (DOD 5200.28-STD, Library No. S225,711) The TCSEC, its interpretations, and guidelines all have different color covers and are sometimes known as the "Rainbow Series" (see TCSEC Criteria Concepts FAQ, Question 4). It is available at
Now, this to me at least indicates that either this news is old, or Microsoft is using outdated testing criterium.
Also, when looking at the TSCEC programs that were evaluated and passed, complete listing, NT4 is not on the list. NT3.51 is, but not NT4. Also, Microsoft never made mention of wether or not it had passed the evaluation, only that it had been tested 6 different times.
I don't know that Linux has ever been officially evaluated. It's not on the list.
Here is the list stating all evaluated programs ever.
It's interesting to note that Trusted Irix got a B1 rating... hmmmm....