I have seen this more times than I can take!
Any questions about NT's C2 certification should be directed to
NT 3.5 w/ sp3 is the only currently certified release of NT at the C2 level.
NT is only C2 certified with NO networking at all.
NT 3.51 is in RAMP evaluation for C2 certification
NT 3.51 is also in evaluation for C2 with networking turned on.
The NSA has contracted with an ISV for evaluation and modification testing
to produce a B2 system.
NT is C2 compliant, i.e. it was designed to meet C2 criteria. This is only
a step in the process, anybody can say "yeah we designed the system to be A1
compliant, it's more secure than a safe welded shut on the bottom of the
A firewall is a state of mind. Grok your network, your traffic, and your
people. Build a system that compliments your network, your traffic, and
your people. If you find that TCSEC certified systems are part of what you
need then by all means use them. A firewall is _usually_ put in place to
assist your users in using the Internet with maximum safety and minimum
As a UNIX weenie don't think I'm knocking NT. I'm an NT weenie also, even
though some people seem to think that's mutually exclusive.
I apologize for my abruptness, but propaganda and misconceptions help no one
but the people we are trying to keep out of our networks.
>From: Rodney R. Fournier[SMTP:rodf @
>Sent: Friday, April 12, 1996 6:52 PM
>To: Firewalls Mailing list; 'Norton, Dave'
>Subject: RE: Cracking NT via RAS
>1) You can use any resource in either Domain in a trusted Domain. I can
>not comment on a password crackers, you may want to implement a three
>password lockout, and then disable the account. That should take care of it
>(unless they guess the name and password first!!)
>2) MS NT just recently got approved at C2 level, so that should tell you
>something!! 3.1 & 3.5 are not certified, so I hope that you are on 3.51
>with service pack 4!!