An update on Windows NT 4.0 and the C2 evaluation

Last week, I got a tremendous amount of information about C2 from variousWinInfo readers and, originally, I had intended to publish most of it. ButI just received an interesting post from Frank Mayer, of Science Applications Internal Corporation (SAIC), the company that Microsoft hascontracted to get Windows NT 4.0 evaluated for the C2 rating. Frank is aa long-standing and well-respected member of the security community, whichis one of the reasons SAIC was chosen to work with Microsoft on the NT 4.0evaluation. I think I'll just present his own description of the status ofWindows NT and C2, since he does sum it up quite nicely and probablyunderstands the process better than most.

Here it is, only slightly edited for formatting.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

There appears to be much confusion with regard to Windows NT and the statusof its C2 evaluation. I'll attempt to set the record straight with thefacts. My background with this topic runs from early in the evaluationefforts in 1992, where as a department director at The Aerospace Corporation, a federally funded research corporation, I was a member of thegovernment C2 evaluation team for the original Windows NT evaluation, to today, where my organization at SAIC is conducting the current C2 evaluation.

Windows NT 3.5 was awarded a C2 rating in July 1995. This wasa stand-alone evaluation (i.e. no networking was evaluated). The C2 configuration did require some permissions within the file system andRegistry to be changed from their out-of-the-box defaults (it is well knownthat the default permission settings in Windows NT are not conservative from a security perspective). Other configuration and Registry settingswere also included as part of this evaluation, some optional (e.g., crashon audit full) some not (e.g., "allocated" floppy and CD drive to interactive user). This is not atypical for C2 evaluated configurations.

As the Windows NT 3.5 evaluation was closing, discussions and planningbetween Microsoft and the government for a networked Windows NT 3.51 (later4.0) evaluation were taking place. A team leader was assigned and a teamformed. At this point (early 1996), I left Aerospace for SAIC and so haveno direct knowledge for the next 9 months or so. In late 1996, SAIC and Microsoft began discussions about SAIC helping Microsoft move forward withthe C2 evaluation of Windows NT 4.0.

In the summer of 1997, SAIC and Microsoft signed an agreement whereby SAICwould help Microsoft re-start the C2 evaluation efforts for Windows NT 4.0. Originally, we were to help Microsoft work with a government evaluation team to facilitate the evaluation. In early 1998, we transitioned the effort into an SAIC-staffedevaluation team under a government program that is commercializing the product evaluation program.

Our evaluation team has been working closely with Microsoft all year. Amajor milestone for this evaluation, the first of two government technicalreview boards (TRBs), will occur 29-30 September 1998. This TRB is NOT thepoint at which a "pass or fail" decision is made; rather it is intended to"ensure that the evaluation team has performed sufficient analysis of theproduct design" (See the "IPAR/Test Technical Review Board Meeting" sectionat this Web page). So it is indeed truethat Windows NT 4.0 has not completed a C2 evaluation for a network configuration. However, it is also true that significant effort is actively being directed towards that end, and the evaluation is well into the evaluation process. The targeted evaluation version (subject to changes) is Windows NT 4.0 with Service Pack 4 in a closed network configuration.

Finally, I'd like comment on C2. A "product" evaluation is a fairly in-depth (by today's standard) analysis of an operating system (or othertype of technology) against a standard (e.g., C2). The C2 requirements areentirely contained on 3 pages of text. It takes a lot of interpretation and analysis to asses compliance of something as complex as an operatingsystem with something as simple as 3 pages of technical requirements. Inorder to keep the evaluation process tractable, an "evaluated

configuration" is defined that scopes the evaluation effort. Rarely if ever would a C2 evaluated product be "rated" with all the functionality supported by that product or in its default configuration. This is OK and,I'll assert, even good. Because what a C2 product evaluation is intended toprovide is assurance that, for the "evaluated configuration," a standard set of security features (e.g., access and security auditing) at a standardlevel of assurance (e.g., internal design analysis and security functionaltesting) is assessed by an independent third party at a level of detail more than product consumers could afford. A user/integrator would then take that product, understand it's "evaluated configuration," and use thatas a starting point for building a secure system. Certainly everyone deviates from evaluated configurations. However, now they have the opportunity to start from an established and evaluated starting point.

Frank Mayer ([email protected])
Center for Information Security Technology
Science Applications Internal Corporatio