Windows NT 4.0 C2 Evaluation finished

DevNu11 writes "Windows NT 4.0 SP6a + Hotfixes + Trusted configuration finished evaluation under the TCSEC program. This page has a configuration guide for deploying a system in a C2-evaluated configuration. A text on the bottom of the page points out the differences of NT being secure and that someone could configure NT to be secure."

Modification list to NT

[Sulka]

Procedure for C2 NT installation, from the doc:

Unpack and set up hardware
Set power-on password
Install Windows NT
Restart Windows NT as Administrator
Verify video driver
Install Printer and Tape Drivers
Install Service Pack 6a
Install C2 Update (KB Q244599, Q243405, Q243404, and Q241041)
Enable hardware boot protection
Remove the NetBIOS Interface service
Disable unnecessary devices
Disable unnecessary services
Disable Guest account
Remove OS/2 and POSIX subsystems
Secure base objects
Secure additional base named objects
Protect kernel object attributes
Protect files and directories
Protect the registry
Restrict access to public Local Security Authority (LSA) information
Restrict null session access over named pipes
Restrict untrusted users' ability to plant Trojan horse programs
Disable caching of logon information
Allow only Administrators to create shares
Disable direct draw
Restrict printer driver installation to Administrators and Power Users only
Set the paging file to be cleared at system shutdown
Restrict floppy disk drive and CD-ROM drive access to the interactive user only
Enable NetBT to open TCP and UDP ports exclusively
Modify user rights memberships
Set auditing (if enabled) for base objects and for backup and restore
Disable blank passwords
Restrict system shutdown to logged-on users only
Set security log behavior
Restart the computer
Update the Emergency Repair Disk

No POSIX, eh? I can understand most of the mods, but to me it seems like the machine pretty much becomes a dumb terminal after all of this.

sulka

Linux and C2 certification

[mertner]

What would it take to get a version of Linux certified in the same way? Lots of money, or just lots of carefully configured pices of software? Is it not something

While I think general consensus is that NT's C2 certification is pretty useless (it has to be configured in a way to make it of even less use than normally), it still puts NT on the scoreboard when compared against Linux.

Re:Linux and C2 certification

[Hawke]

Um, B-rated OS's require MAC capability. I do not believe OpenBSD has that. At the B level, its not just an administration thing. The MAC component really makes the systems unusable for normal work.

MAC == Mandatory Access Control. Basically the OS supplies some rules about resoruce access that trump the rules provided by permissions. Think of tagging processes with a tag like "Secret". A process running at Secret can open Secret, Classified, and Unclassified files, but everything it writes is always tagged Secret. It can't read TopSecret files or write to them.

By the time you add in control of covert channels, you have to jump through some really weird hoops to get a B rating.

C-2 rated systems require a Secure Attention Key (basically some way to guarentee you have a real-login screen, and not a fake one. Ctrl-Alt-Delete in NT) which I don't think the Open Source unixen have yet. Other than that we're in good shape.

Solaris has a B-2 rated OS (Trusted Solaris) and a C-2 rated OS if I recall correctly. C-2 mode on a Solaris box turns on a lot of auditing, turns off Stop-A, and does a few other things I forgot.

Re:Linux and C2 certification

[noop]

http://www.radium.ncsc.mil/tpep/epl/epl-by-class.h tml
is a list of what's ranked as what..
Looks like trusted XENIX is going to be the highest rated.

I'm not sure the SAK is required, openVMS 6.0 and 6.1 are listed as C2 and it doesn't mention anything about a secure logon keysequence( they do for nt)

you knowm, since they don't rate at the level anymore, linux could just claim C1 rating, and most people would assume that it's one better than NT.
hehehe

Happy thought

[Chris+Johnson]

I'm picturing a checkbox labelled "Allow untrusted users to plant Trojan horse programs" :) of course, it defaults to off except for when you set Office to 'Active Content' :)

MAC, B1, B2, etc. Re:Linux and C2 certification

[billstewart]

A well-designed MAC system doesn't interfere with normal work, as long as your normal work doesn't involve kernel hacking or developing trusted applications, or developing networking applications beyond a limited scope. But basic user-level stuff can be very normal.


MAC systems actually made doing system security much easier. You put the operating system files at Security Level 0, and make all the users live at Level 1 or higher (e.g. UNCLASSIFIED), and the no-write-down MAC enforcement means that users can't mess with any critical files, and can't mess with kernel-written logfiles. Other log files can go at System High (if you're not running with stricter No-Write-Up rules) so user-level processes can write to them, but can't read them, or just use a separate security compartment to put them in.


AT&T System V/MLS accomplished most of this by munging the Group ID mechanisms to carry MAC information, both for security levels (UNCLASS, SECRET, etc) and for security compartments (PROJECT X, NUKES, CIA, COMSEC, etc.) This was back in the 80s, and it was the first Unix system to be B1-rated.


What about Superuser? Some B1 systems kept it, and just did a lot of work to limit bugs and damage, while some split it up into multiple less-super users. AT&T System V/MLS kept it. The B2 Least Privilege requirements make it much more difficult to avoid ripping root apart; I don't know what current B2 systems do. Covert Channels are the nasty part of B2 ratings - it was hard enough to hide subtle timing channels and things like that back when machines were much slower - now there's enough horsepower to play even more games, and I'm not convinced a general-purpose machine can do a good job of blocking them.


Secure Attention Key wasn't originally a C2 requirement; it was either B2 or B3, but it's easy enough to implement and solves enough other problems that everybody does it.


Secure Networking was still hairy research back when I was working with this stuff. The problem is that a network really just sends bits back and forth, and you have to be able to use those bits in a way that you can prove who's on the other end of the wire, what they're authorized to do, and that nobody else is doing something unauthorized with the bits you're sending. It's an obvious job for crypto, but that wasn't very usable back then except for DES chips and NSA secret custom stuff. The main technologies people were developing at the time were IPsec-like encrypted ethernets, usually with DES hardware on the ethernet cards, where the crypto primarily provided authentication. Putting crypto on the cards means the security features don't depend on the operating system - this means you can run a multi-level network with single-level dumb MSDOS machines, and worry about how to integrate multi-level OS's separately. (The crude way to integrate a multi-level OS into this system is to use multiple Ethernet boards, one per security level, and use OS protections to limit which boards get to be which security level.) But it's still a hard problem - TCP/IP living in the kernel is much harder to secure than UUCP living in user space.

C2 Evaluation -Full Text-

[Money__]

I've taken the liberty of converting the most of the C2SecGuide.doc to HTML and posting here: http://slashdot.org/comments.pl?sid=9999

Your comments welcome!

This is what's insightful nowdays?

[PenguiN42]

Take the unproven assertion that Microsoft made a deal with the NSA, add a mix of anti-NT bias (gee, it could *never* have made C2 on it's own merits!), and poof, we have conspiracy theory!

Perhaps you wish to imply that *all* C2 rated OS makers made deals with the NSA? Maybe they all have "backdoors" too, and you just don't know it?

Anyway I don't see jumping to conclusions as necessarily "insightful."

-------------
The following sentence is true.

What everybody's asking...

[Seth+Scali]

"What would it take for Linux to get a C2 rating?"

Well, we certainly are doing well in the security arena. Open Source allows us to fix a number of bugs, and to identify trouble spots before they become vulnerabilities. Also, Linux has a hell of a lot of people that will back up its security when properly configured.

But here's the problem: Define Linux.

Okay, let's say we want to get Linux certified at the C2 level. Well, that's just fine and dandy. Are we going to just submit the kernel? Or are we going to submit programs (bash, mount, losetup, etc.), too? If so, what versions? Are we going to submit an entire distribution?

It wouldn't be possible to get a C2 rating for Linux in general. There are too many different distributions, platforms, bugfixes, and updates out there to get a handle on-- the best we can do is rate a particular version (at a particular bugfix level) of a particular distro. So, just because (say) RH 6.0 gets a C2 rating doesn't mean that Slackware 3.6 is less, more, or just as secure.

Even if we do get a version of Linux (in general) rated (for the sake of argument here, let's go with the idea), what about the next version? Microsoft is gonna have to go through the program again with W2K. Figure that we went from kernel version 2.2.0 to 2.2.13 in a space of less than a year-- and 2.2.14 is due out soon. It would be pointless to try this, because we would wind up constantly having to get it re-tested.

And let's not even talk about the price of such testing.

In other words: Forget about government security ratings for Linux. It's too dynamic to be given a static rating. It's also very reliant on the operator (as is NT, but that *seems* less obvious to most people).

Linux

[Issue9mm]

I don't know that Linux has ever been officially evaluated. It's not on the list.

Here is the list stating all evaluated programs ever.

It's interesting to note that Trusted Irix got a B1 rating... hmmmm....