David Harvey-George wrote:
> > From: Leonard Miyata <leonard @
> > Let me provide some further information on the subject. If Microsofts
> > claim of ITSEC equivalent of C2 is correct...
> Their press release seems very carefully worded in way to present NT in as
> favorable light as possible (no kidding :-). They talk a lot about having
> completed the first stages of the Red and Blue book requirements and then
> talk about ITSEC which they claim is derived from the NSA's Red book. The
> release then talks about Orange Book C2 security being a standard part of
> However it seems that the following is clear:
> 1 NT is C2 Orange book compliant if configured correctly
> 2 NT is not C2 Red book compliant but has passed another network security
> standard, the ITSEC FC2, this is derived from the Red book but evidently
> isn't the same thing, otherwise MS would have that too!
> 3 The ITSEC FC2 rating only applies to NT WS and SRV versions 3.51.
> 4 It was not clear if a standard NT 3.51 release could be FC2 compliant or
> whether additional components were necessary. Reading between the lines of
> the marketing blather I think the latter is the case, comments?
> 5 It's not clear whether or not they've passed the European E3
> requirements. The implication was that if you pass FC2 you are also E3
> compliant as they are the same thing. Hmmmm.
> ps Anyone know anything about Microsoft's slated firewall product.
My understanding is that only NT 3.5 (not 3.51) Workstation and Server
have been evaluated for C2 Orange Book (Stand alone workstation). This
requires the removal of both the floppy drive and the NIC. Hard to
imagine a use for a server without a NIC, but ...
One of the major deficiencies is the lack of a secure (from tampering by
the system administrator) auditing capability.
I would be interested in any info on NT 3.51 or 4.0 security evaluations.
Re: WinNT and C2
From: "David Harvey-George" <david @