Information Security News mailing list archives
If you need C2 security, you'll have to stick with NT 4.0
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Tue, 8 Feb 2000 02:16:30 -0700
From: "John Q. Public" <tpublic () dimensional com> [Please remember this when the MS droids come to your office and try to push NT4 C2 certification on you. - John] http://www.gcn.com/vol19_no3/news/1284-1.html February 7, 2000 If you need C2 security, youll have to stick with NT 4.0 By Susan M. Menke GCN Staff Agencies that have a "hard requirement" for C2 security will have to wait two or more years before adopting Microsoft Windows 2000, says James Arnold, technical director of Science Applications International Corp.'s Trusted Technology Assessment Program laboratory. Arnolds TTAP team in Columbia, Md., last month announced the C2 certification of amended versions of the 4-year-old Windows NT 4.0 Server and Workstation operating systems under the National Security Agencys Trusted Computer System Evaluation Criteria. Arnold said agencies existing installations of NT 4.0 Server and Workstation must have NT Service Pack 6 and several hot fixes installed to qualify at the C2 security level. C2 certification has been a moving target for NT 4.0 for several years [GCN, Oct. 26, 1998, Page 8]. Until the SAIC lab completed its work, NT 3.5 had been the only C2-certified Microsoft OS. Specific environment The San Diego company's lab, with Microsoft funding and NSA supervision, tested the NT 4.0 OSes on Compaq Computer Corp. uniprocessor and multiprocessor systems in networked and standalone modes. The configurations included ProLiant 6500 and 7000 servers and Compaq Professional Workstation 5100s and 8000s, in addition to a Hewlett-Packard Co. digital audio tape drive and HP LaserJet printers. Strictly speaking, only those specific configurations are C2-certified with NT 4.0. The required NT Service Pack 6 and hot fixes are downloadable from the Web at www.microsoft.com. Arnold said the software fixes also can be obtained on CD-ROM from Microsoft Corp. "Lots of requests for proposals require C2 or the equivalent," Arnold said. "C2 means the OS can identify and authenticate users and can control and audit their access to data." The lab's certification effort began with NT 4.0 Service Pack 3 and continued through packs 4, 5 and 6. Work will now begin on Windows 2000. "The evaluation process is still evolving," he said. Arnold and Frank Simmons, vice president at SAIC's Center for Information Security Technology, said the lab also is evaluating Microsoft SQL Server. ISN is sponsored by Security-Focus.COM
Current thread:
- If you need C2 security, you'll have to stick with NT 4.0 mea culpa (Feb 08)