> > Date: Wed, 29 May 1996 23:03:31 -0400
> > From: Russ <Russ .
> > Subject: What do you want to know about Windows NT?
> > - - There is a C2 configuration guide (manual), maybe it should be
> Russ, nothing really to do with your recent posting although I wonder
> you'd be good enough to clarify this bit for me. My understanding is
> has only been C2 accredited for a couple of hardware platforms and only
> stand-alone versions, rather than networked ones.
> The implication behind having a C2 configuration guide would be, to me
> least, that NT is C2 certified. This seems misleading to me, although
> like to here other comments. It seems to me that there is a load of
> around regarding C2 and NT and MS are happily using this confusion to
> without claiming that NT==C2. Would you agree with me here or have I
> wrong end of the stick altogether ?
> Thanks for your thoughts ..
Doesnt this come down to terminology?
NCSC said a long while back that they really didnt want to devote US
government money on evaluating products which could only make a trivial C2
when their time could be spent on looking at serious products.
NCSC has always been in the business of evaluating "in the national
interest" and their manpower has always been very limited. As the national
interest was *US* national interest, other countries were motivated to
establish their own systems and Europe eventually moved to develop the
In the US this created several problems.
US G had made public statements that it would mandate C2 as a *MINIMUM
REQUIREMENT FOR ALL* US Federal procurements of information systems.
That, together with NCSC saying they wouldnt spend time on C2 evaluations,
implied that really US G was mandating B1 by default because vendors were
moving to B1 for OS and RDBMS products.
Therefore the lowest *CERTIFIED* level was likely to become B1.
That suggested that the cost of Federal purchases would rise
astronomically although it overlooked the fact that B1 product was costly
largely because very few people even knew it existed much less had any
intention to purchase it ( one reason for this was the US G desire to
control technology in the same way that it persists with encryption
This resulted in USG wobbling on C2 mandates. The establishment of ITSEC
should have created a new opportunity but political dogma in the US denied
this option to Federal procurement teams.
Since then we have spent a lot of time fudging about with FC-FIPS and now
the Common Criteria when it might have been better to adopt ITSEC and then
work to improve it.
All this government level confusion makes it very easy for a marketeer to
confuse customers to obtain an order.
ITSEC has established a system where any vendor or user who wants to pay
for an evaluation of a product can do so at whatever security target they
desire. The system is not perfect and most evaluations are still funded
largely by government customers, but it does measure Functionality and
Integrity as well as Assurance.
The major weakness is that a vendor can demand a product listing as 'under
evaluation' from the moment he signs a contract with a CLEF to evaluate
his product. That has meant that a product might not actually be available
for evaluation for months or more and once available might never see the
evaluation completed. ITSEC Scheme Bodies are now planning to list product
only when the CLEF starts evaluation but its unclear where that leaves all
the products already listed as under evaluation but still have to become
available for evaluation.
At present, MS appear to be claiming, or encouraging others to claim, that
they have the most secure OS in NT because they have a US C2 Certificate
and are listed at F-C2/E3 under ITSEC. There have been claims that the
ITSEC listing is the same as a US B1 certificate and other claims that NT
is really a B2 product.
Its entirely logical that as the inheritor of the IBM proprietary mantel,
MS would also make maximum use of FUD.
Without carefull study of the NT TOE, it is difficult to know how
successfull the product will be in meeting the Assurance level of E3. As a
new product under exclusive control of the vendor and with very few
versions/patches/layers, it should present no difficulty to provide the
documentation necessary for the Assurance. However, it would appear that
the products functionality achievement (in Integrity and Availability) is
strictly limited to a hope to achieve C2. We wont of course know until
either MS publish their TOE or they receive a certificate and that could
be years away.
Obviously MS does have a major problem in marketing.
Security is now becoming headline interest and virtually every flavour of
UNIX is available in a B1 or B1+ certified form.
This year, most UNIX OS flavours will be certified under ITSEC at F-B1/E3
and a few will achieve a certified F-B2/E4.
That can not be unrestrained joy for MS marketeers. Why would anyone want
to make a strategic decision on an OS which not only makes them captive of
MS, but is also unable to satisfy emerging security requirements?
The only thing to fall back on is the claim that "everyone" is moving to
NT, NT is the cheapest product available, NT is the most secure OS known
Thats fine provided no one asks for proof and, fortunately, history has
shown that the capacity for mankind to fool itself is almost unlimited, or
as someone else put it "no one ever went broke by underestimating the
OTOH, a C2 accreditation means something. Provided that your situation and
requirements are *EXACTLY* the same as those of someone who has
accredited, it means much more than a criteria certificate.
NOW BEFORE MS enthusiasts start claiming that this means that NT is now
far more secure than anything else, and under a more meaningfull method of
assessment because its been accredited on a couple of sites, the KEYWORD
is EXACTLY. The chances of it being the case that 2 organizations are
EXACTLY the same is pretty remote. Thats why evaluation criteria and
certification schemes have never been a total answer and any serious user
will run accreditation on the implemented system (that includes all the
unique things like risk policies, system administration etc.). The two
values of evaluation criteria are that they make a vendor think more
carefully about the product and they do eventually provide an independent
assessment of the product's performance against the claims in the security
However, whatever the merits or demerits of NT as an Operating System, the
security situation today appears fairly clear cut.
If you want an operating system which can achieve C2 provided you
implement an exact hardware platform and provided that you dont want to
connect it to any networks, NT might be exactly what you are looking for.
OTOH you could be an unfashionable fuddy duddy and buy a UNIX OS with a B1
ticket that can be used in a networking environment. You might even buy
one with a B2 ticket. Or you might buy a UNIX-like OS with an A1 ticket.
You would of course have the problem of multiple choice which can
sometimes be a terrible burden. Its so much easier to just do what someone
like MS tells you than to go out and select from a range of choices - and
take responsibility for making decisions.
Some subscribers to this list may not remember the odd statement "no ever
got fired for buying IBM" - well odd today but not so odd 20 years back.
In the pre-UNIX days it was a familiar cry and IBM grew fat on the back of
it. Equally, many people lost many opportunities and also spent vast sums
of money which they did not need to spend.