There seems to be a general misunderstanding on the C2 rating of
Windows NT Server. Windows NT has a 'Orange Book' C2 rating. Their
resource book for NT 4.0 Server states that NT was designed for
'Red Book' C2, but since they are not claiming this yet, they must
not have acheived this.
Orange Book rates the security of a isolated computer host. It does
not rate the components of a host (e.g. A B2 rated floppy drive or
SCSI controller) but if the components with the O.S. are assembled
in such a fashion, the overall rating of a host is at this level as
far as MAC, DAC, I&A, Audit, etc are concerned.
Red Book (TNI) is an official supplement to the Orange Book, extending
the Orange Book definitions to a networked environment. Red Book rates
the overall rating of the NETWORK. Individual components of the network
may have a lower rating then the network in general (e.g. workstations,
routers) if other components in the Network can inforce MAC, DAC, I&A
etc. As an example with NT Server, their Domain Authentication Server
is an attempt to meet the DAC requirement. PPTP may be used for trusted
path for I&A, etc. Another example is NetWare, which for a restricted
IPX network, has been rated for Red Book C2
I hope this has been useful
Personal Opinions provided by
Leonard Miyata
aka leonard @
geminisecure .
com
GEMINI COMPUTERS INC.
On Mon, 3 Feb 1997, EKR wrote:
> > Firest Mistake. NT is not C2 complient. Anyone knowing anything about LAN
> > security would know this. Do a little more research before replying to
> > someone. Besides, do you even know the differnet levels of security, or are
> > you just "anti-nt".(which is not a bad thing)
> Actually, you're quite wrong. NT has been evaluated at C2 in
> a standalone configuration, which appears to be precisely what
> the gentleman was referring to. Please see:
>
> http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html
>
> -Ekr
>
>
>
References:
|
|
