You are currently offline, waiting for your internet to reconnect

C2 evaluation and certification for Windows NT

This article was previously published under Q93362
This article has been archived. It is offered "as is" and will no longer be updated.
C2 refers to a set of security policies that define how a secure systemoperates. The C2 evaluation process is separate from the C2 certificationprocess. As of August 1995, National Security Agency (NSA) granted the C2security rating for Windows NT Server and Workstation version 3.5. As aresult these operating systems are on the Evaluated Products List (EPL).

Windows NT Server and Workstation version 3.51 has been granted thesecurity rating of E3/F-C2 though a similar evaluation process in the UK.

For security evaluation for Windows 2000 and beyond, see the following Microsoft Web site:NOTE: This does not mean that Windows NT is C2 certified (no operating system is ever C2 certified). Certification applies to a particular installation, including hardware, software, and the environment that the system is in. It is up to an individual site to become C2 certified.
The requirements for A-, B-, C-, and D-level secure products are outlinedin the Trusted Computer System Evaluation Criteria (TCSEC) published by theNational Computer Security Center (NCSC). This publication is referred toas the "Orange Book," and is part of NSA's security "rainbow series."Security level requirements are open to interpretations that change overtime. When undergoing evaluation, each vendor negotiates with the NSA aboutwhether or not the details of its particular system implementation conformwith the abstract security policy concepts in the NSA's books. The vendormust provide evidence that the requirements are being met.

Microsoft has opted not to include certain components of Windows NT in theevaluation process, not because they would not pass the evaluation, but tosave time by reducing the load on the NSA. Additionally, the MS-DOS/Windowson Windows (WOW) system may be treated as a Win32 application and wouldtherefore not need to be evaluated as part of the Trusted Computer Base(TCB). Networking on NT may not have to go through the "Red Book," or"Trusted Network Interpretation." It may be enough to consider networkingto be another subsystem, and therefore only the Orange Book would apply.New or modified components and other hardware platforms can go through a"RAMP" process to be included in the evaluation at a later time.

C2 Overview

The security policy in C2 is known as Discretionary Access Control (DAC).In the Windows NT implementation, the basic idea is that users of thesystem:

  • Own objects
  • Have control over the protection of the objects they own
  • Are accountable for all their access-related actions
C2 classification does not define a substantive security system in thesense of classified or unclassified data. (B-level security assumes theexistence of an independent security classification system and enforcesthat system, but does not specify the substance of the classificationsystem.)

For example, in Windows NT, every object (file, Clipboard, window, and soon) has an owner; any owner can give or not give other users access to itsobjects. The system tracks (audits) your actions for the administrators(that is, the system administrator can track the objects you accessed, bothsuccesses and failures).

The key distinction between C-level and B-level security is in the notionof access control. In a C2 (DAC) system, owners have absolute discretionabout whether or not others have access to their objects. In a B-level, orMandatory Access Control (MAC) system, objects have a security leveldefined independently from the owner's discretion. For example, if youreceive a copy of an object marketed "secret," you can't give permission toother users to see this object unless they have "secret" clearance. This isdefined by the system independent of your discretion. MAC involves theconcept of "data labeling," which is the creation and maintenance by thesystem of security "labels" on data objects, unalterable by users (exceptin certain cases under system control and auditing). An administrator canget access to anyone's objects, although it may require some programming todo so (that is, the user interface won't expose this power).

You can obtain more information on this process, including frequently askedquestions, a copy of the evaluated products list, and copies of TCSEC andother documentation, visit the following Web site:

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Article ID: 93362 - Last Review: 02/28/2014 00:25:08 - Revision: 5.4

Microsoft Windows NT Workstation 3.5, Microsoft Windows NT Workstation 3.51, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Server 3.5, Microsoft Windows NT Server 3.51, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive KB93362