Feeds

NT scales C2 security heights – but what about Win2k?

Long term, the NCSC criteria are challenges the company can't rise to

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Microsoft announced this week that it has received Orange Book C2 certification for NT 4.0, and FIPS 140-1 validation of the cryptographic services in Windows 95, Windows 98, NT 4 and Windows 2000. Microsoft says that "customers now have formal, third-party verification of the security" of these operating systems. Microsoft also said that "C2 is generally acknowledged to be the highest rating a general-purpose operating system can achieve", something that it has said before, but in different context, as we shall see. First let's recap on these coloured books. The US Department of Defense, through the US National Computer Security Center (NCSC, part of the National Security Agency), has a series of "rainbow" books, known as the DoD Trusted Computer System Evaluation Criteria. The Orange Book defines the criteria, but the Red Book is an interpretation of the Orange Book. The Red Book came about because the Orange Book was inadequate with regard to networking. There is also a Blue Book for advanced systems. The criteria are hopelessly out-of-date in many respects, because it takes so long for security organisations to develop standards. The only C2 security that Microsoft had previously received was Orange Book for Windows NT 3.5 (not 3.51) - but it was required that networking was disabled, that the floppy disk drive was disabled, and that the standard file system permissions were changed to be very restrictive, along with many permissions in the registry. Some cynics compared the process with castration. At the time, Enzo Schiano, a Windows NT Server product manager also noted that C2 presumes that the PC is kept locked away from unauthorised users since it was only necessary to remove the hard disc to get access to all the data. Microsoft had received E3/FC2 for NT3.51 and NT 4.0, but this level is regarded as too low for serious security consideration. If C2 Orange Book is about as reassuring as food labelled "100 per cent organic", then the E and F levels are perhaps the equivalent of dog food. In May, when Microsoft was not allowed to bid for the US Army Battle Command System which required secure messaging, Microsoft was cross because the UK Information Technology Security Evaluation Criteria (ITSEC) certification board had given Windows NT 4.0 (with Service Pack 3) an E3/FC-2 rating, which Microsoft then called "the highest security evaluation possible for a general purpose operating system". Sounds familiar, does it not? But that's what Microsoft now says about its Orange Book C2 certification. There were many critics of NT security. Terry Edwards, director of technical integration for the US Army's Force XXI initiative at Fort Hood, Texas, considered that "NT cannot support our security requirements". Mary Ellen O'Brien, director of DoD sales, Microsoft Federal, confirmed that MS is working with a third party, which she refused to name, to develop a Unix client for Exchange. Microsoft was concerned that Notes, running on Solaris, may increasingly replace Exchange in the military. It has also upset Microsoft mightily that Novell had received the superior Red Book C2 security on both the server and the client for NetWare 4.11, which meant that NT Server had no level of certified security. A Novell product manager sniffily described NT security as "an entire disease: they throw a password around the network, so it is available for capture, so it's not surprising that professional hackers are finding holes". In October at Gartner's Orlando meeting, Ann Reid of the US Department of Agriculture asked Steve Ballmer what Microsoft was doing about security problems and the federal information security requirements. Ballmer had to admit that Windows 2000 was unlikely to meet the requirements, which was interpreted at the time as no C2 in prospect. There is a footnote, and a serious one. Ed Curry, a former independent contractor for Microsoft and a security specialist, claimed that in 1998 Microsoft had been selling NT 3.51 and 4.0 to the US government and representing them as secure versions when they were not, and had false information on its Web site. Curry, who has since died, wrote to the US Secretary of Defense at the time claiming that "Microsoft has knowingly and wilfully concealed information regarding security flaws in computer hardware... I have raised the issue internally with Microsoft, and in return have been the subject of both bribes and threats". ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.