hide random home http://www.microsoft.com/TechNet/boes/bo/winntas/technote/security.htm (PC Press Internet CD, 03/1996)

Updated: March 12,1996 TechNet Logo Go To TechNet Home Page

C2 Security Overview


Today, networks of computers are becoming increasingly important to most businesses. Networks are used to share key information and resources among many users throughout organizations of various sizes. Frequently, the information stored on network servers, such as the Microsoft® Windows NT™ Server operating system, is secure information that is intended for use only by specific individuals. Therefore, the ability of these networks to prevent unauthorized access to information is paramount to the security and competitiveness of an organization.

The Characteristics of a Secure System - C2 and Beyond

A secure network system has many characteristics. A baseline measurement of a secure operating system is the U.S. Department of Defense's criteria for a C2-level secure system. While C2 security is a requirement of many U.S. government installations, its substantial value extends to any organization concerned about the security of its information.

Some of the most important requirements of C2-level security are:

The owner of a resource (such as a file) must be able to control access to the resource.

The operating system must protect data stored in memory for one process so that it is not randomly reused by other processes. For example, Windows NT Server protects memory so that its contents cannot be read after it is freed by a process. In addition, when a file is deleted, users must not be able to access the file's data even when the disk space used by that file is allocated for use by another file.

Each user must uniquely identify himself or herself. In Windows NT Server, this is achieved by typing a unique logon name and password before being allowed access to the system. The system must be able to use this unique identification to track the activities of the user.

System administrators must be able to audit security-related events and the actions of individual users. Access to this audit data must be limited to authorized administrators.

The system must protect itself from external interference or tampering, such as modification of the running system or of system files stored on disk.

In addition to meeting the U.S. government's C2 requirements, there are certain "real world" security problems that a fully secure system must also solve. These real world security issues tend to fall into two categories: managing security and using security. Windows NT Server is designed to meet the requirements for a C2 secure system while also providing excellent tools for both managing and using these comprehensive security features.

Return to the Top

C2 Security - Requirements Defined

The requirements for a C2 secure system are articulated by the U.S. Department of Defense's National Computer Security Center (NCSC) in the publication Trusted Computer System Evaluation Criteria, also known as the "Orange Book". All systems, whether they are network operating systems or standalone operating systems, are evaluated under the criteria set forth in the Orange Book. Windows NT Server was designed from the ground up to comply with the NCSC's Orange Book requirements. Microsoft and the NCSC have worked closely throughout development to ensure that both Windows NT Workstation and Windows NT Server comply with the government's requirements for a C2 secure system.

The NCSC has published different "interpretations" of the Orange Book. These interpretations clarify Orange Book requirements with respect to specific system components. For example, the NCSC's Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria, or "Red Book" is an interpretation of Orange Book security requirements as they would be applied to the networking component of a secure system. The Red Book does not change the requirements, it simply indicates how a network system should operate in order to meet Orange Book requirements for a C2 secure system.

There is a complete set of Orange Book interpretations published by the NCSC that assist vendors in ensuring that their systems comply with Orange Book requirements. So, just as the Red Book is an interpretation of the Orange Book for network systems, there is also a Blue Book that interprets the Orange Book for subsystem components, and other books for other components.

Return to the Top

C2 Security in Windows NT Server

Both Windows NT Server and Windows NT Workstation are in the final stage of being evaluated under the guidelines set forth in the Orange Book, as well as the Red Book and Blue Book interpretations. This means that Windows NT Server's evaluation covers the standalone system, the networking functions, and all other relevant components. As a result, Microsoft will offer a complete, secure solution that includes the desktop, server, and network. Other vendors, such as Novell, cannot claim such a comprehensively secure environment because they cannot provide C2 level security at all of these points.

Products are only listed on the NCSC's C2 "Evaluated Products List" after a lengthy, detailed evaluation process. Microsoft first signed a Letter of Agreement with the NCSC to evaluate Windows NT for C2 compliance in early 1992. Since then, we have worked closely with the NCSC to ensure C2 compliance of the Windows NT platform. Windows NT recently entered the final "Formal Evaluation" stage of the evaluation process. We expect to attain Windows NT's first listing as an evaluated product in the second quarter of 1995. Attaining this will mean that the NCSC has found the core components of Windows NT to be C2 compliant and customers can use Windows NT as a component in building their C2 certifiable systems.

After this first listing, the NCSC will continue evaluating additional components of the Windows NT operating system and add them to the list of evaluated products. In addition to its C2 evaluation, Windows NT is also being evaluated in Europe for a similar E3 rating. This will allow customers in both the U.S. and Europe to operate certifiably secure systems. Microsoft began working with the NCSC back in July 1992. Novell, according to the NCSC, is only beginning their C2 evaluation. They face many months of detailed work before they can even be considered for the NCSC's Evaluated Products List. The Windows NT platform offers a system built to C2 requirements today.

Return to the Top

Solving Real World Security Problems

While following the C2 guidelines is extremely valuable in developing a secure operating system, there are a number of key, "real world" problems that the C2 guidelines do not directly address. Since the primary objective of the C2 guidelines is to provide users with a truly secure, usable system, Microsoft went significantly beyond the implementation of C2 requirements in the development of Windows NT Server security.

From a management perspective Windows NT Server provides comprehensive tools to help administrators manage and maintain security in their environments. For example, an administrator can specifically control which users have access rights to which network resources. These resources include files, directories, servers, printers, and applications. Rights are defined on a per resource basis and can be managed centrally from any single location.

User accounts are also managed centrally. The administrator can specify group memberships, logon hours, account expiration dates, and other user account parameters via easy to use, graphical tools. The administrator can also audit all security related events such as user access to files, directories, printers and other resources and logon attempts. The system can even be set to "lock out" a user after a prescribed number of failed logon attempts. Administrators can also force password expiration and set password complexity rules so that users are forced to choose passwords that are difficult to discover.

From the user's perspective, Windows NT Server security is complete, yet easy to use. A simple password-based logon procedure gives them access to the appropriate network resources. What the user does not see are processes, such as the system-level encryption of their password so that it is never passed over the wire. This encryption prevents unauthorized discovery of a user's password through wire "sniffing."

Users are also able to define access rights for any resource they own. For example, if a user needs to share a specific document with other users, he or she can specify exactly who has read and write access to that document. These rights are easily assigned through the familiar Windows File Manager. Of course, access to organizational resources is fully managed only by authorized administrators.

An even deeper example of Windows NT Server's security capabilities is its protection of data, even while that data is in a machine's physical memory. Windows NT Server allows only authorized programs to access data. When such a program accesses data, that data is placed in physical memory. Despite the fact that the data is no longer only on the disk, Windows NT Server still protects it from unauthorized access. No unauthorized program will be able to access that data while it is in memory. Therefore, it is impossible for a rogue application to take advantage of another application's use of data while that data is in the physical memory of a machine.

Windows NT Server - Built to be Secure

Building a secure network operating system requires careful planning. Security features must be included throughout the system. The file system, user account directory, user authentication system, memory management, environment subsystems and other components all require special design consideration if the system is to be secure. Microsoft made security a design goal of the Windows NT operating system. Before the system was built, security features were designed into every facet of the operating system. This early planning and design was critical to the successful development of a secure system and ensures Microsoft's continuing ability to provide comprehensive, usable security in Windows NT Server.

Novell is a registered trademark of Novell, Inc.

Return to the Top


search icon Click Here to Search TechNet Web Contents TechNet CD Overview TechNet logo Microsoft TechNet Credit Card Order Form
At this time we can only support electronic orders in the US and Canada. International ordering information.


TechNet logo Go To TechNet Home Page ©1996 Microsoft Corporation Microsoft homepage Go To Microsoft Home Page