Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

If you need C2 security, you'll have to stick with NT 4.0

From: mea culpa <jericho () DIMENSIONAL COM>
Date: Tue, 8 Feb 2000 02:16:30 -0700
From: "John Q. Public" <tpublic () dimensional com>

[Please remember this when the MS droids come to your office and try to
 push NT4 C2 certification on you. - John]


http://www.gcn.com/vol19_no3/news/1284-1.html

February 7, 2000
If you need C2 security, youll have to stick with NT 4.0
By Susan M. Menke
GCN Staff

Agencies that have a "hard requirement" for C2 security will have to wait
two or more years before adopting Microsoft Windows 2000, says James
Arnold, technical director of Science Applications International Corp.'s
Trusted Technology Assessment Program laboratory.

Arnolds TTAP team in Columbia, Md., last month announced the C2
certification of amended versions of the 4-year-old Windows NT 4.0 Server
and Workstation operating systems under the National Security Agencys
Trusted Computer System Evaluation Criteria. Arnold said agencies existing
installations of NT 4.0 Server and Workstation must have NT Service Pack 6
and several hot fixes installed to qualify at the C2 security level.

C2 certification has been a moving target for NT 4.0 for several years
[GCN, Oct. 26, 1998, Page 8]. Until the SAIC lab completed its work, NT
3.5 had been the only C2-certified Microsoft OS.

Specific environment

The San Diego company's lab, with Microsoft funding and NSA supervision,
tested the NT 4.0 OSes on Compaq Computer Corp.  uniprocessor and
multiprocessor systems in networked and standalone modes.

The configurations included ProLiant 6500 and 7000 servers and Compaq
Professional Workstation 5100s and 8000s, in addition to a Hewlett-Packard
Co.  digital audio tape drive and HP LaserJet printers.

Strictly speaking, only those specific configurations are C2-certified
with NT 4.0.

The required NT Service Pack 6 and hot fixes are downloadable from the Web
at www.microsoft.com. Arnold said the software fixes also can be obtained
on CD-ROM from Microsoft Corp.

"Lots of requests for proposals require C2 or the equivalent," Arnold
said.  "C2 means the OS can identify and authenticate users and can
control and audit their access to data."

The lab's certification effort began with NT 4.0 Service Pack 3 and
continued through packs 4, 5 and 6. Work will now begin on Windows 2000.
"The evaluation process is still evolving," he said.

Arnold and Frank Simmons, vice president at SAIC's Center for Information
Security Technology, said the lab also is evaluating Microsoft SQL Server.

ISN is sponsored by Security-Focus.COM
Previous By Date Next
Previous By Thread Next

Current thread: