Security Ratings

The National Computer Security Center (NCSC, at www.radium.ncsc.mil) was established in 1981 as part of the U.S. Department of Defense's (DoD) National Security Agency (NSA) to help the government, corporations, and home users protect proprietary and personal data stored in computer systems. As part of this goal, the NCSC created a range of security ratings, listed in Table 8-1, that are used to indicate the degree of protection commercial operating systems, network components, and trusted applications offer. These security ratings, which are assigned based on the DoD's Trusted Computer System Evaluation Criteria (TCSEC), were defined in 1983 and are commonly referred to as "the Orange Book."

Table 8-1 TCSEC Rating Levels

The TCSEC standard consists of "levels of trust" ratings, where higher levels build on lower levels by adding more rigorous protection and validation requirements. No operating system meets the A1, or "Verified Design," rating. Although a few operating systems have earned one of the B-level ratings, C2 is considered sufficient and the highest rating practical for a general-purpose operating system.

In July 1995, Microsoft Windows NT 3.5 (Workstation and Server) with Service Pack 3 was the first version of Windows NT to earn the C2 rating. In March 1999, Windows NT 4 with Service Pack 3 achieved an E3 rating from the U.K. government's Information Technology Security (ITSEC) organization, a rating equivalent to a U.S. C2 rating. In November 1999, Windows NT 4 with Service Pack 6a earned a C2 rating in both stand-alone and networked configurations.

The rating process takes several years, so although Windows 2000 has been submitted to international security certification organizations, it will probably be some time before its evaluations are complete. However, the fundamental security architecture of Windows 2000 is, if anything, a more robust evolution of that in Windows NT 4, just as Windows NT 4 evolved the Windows NT 3.5 implementation. Windows 2000 will almost certainly achieve the same ratings that Windows NT 4 has.

What's involved in earning a C2 security rating? The following are the key requirements:

• A secure logon facility, which requires that users can be uniquely identified and that they must be granted access to the computer only after they have been authenticated in some way.
• Discretionary access control, which allows the owner of a resource to determine who can access the resource and what they can do with it. The owner grants rights that permit various kinds of access to a user or to a group of users.
• Security auditing, which affords the ability to detect and record security-related events or any attempts to create, access, or delete system resources. Logon identifiers record the identities of all users, making it easy to trace anyone who performs an unauthorized action.
• Object reuse protection, which prevents users from seeing data that another user has deleted or from accessing memory that another user previously used and then released. For example, in some operating systems, it's possible to create a new file of a certain length and then examine the contents of the file to see data that happens to have occupied the location on the disk where the file is allocated. This data might be sensitive information that was stored in another user's file but that has been deleted. Object reuse protection prevents this potential security hole by initializing all objects, including files and memory, before they are allocated to a user.

Windows NT also meets two requirements of B-level security:

• Trusted path functionality, which prevents Trojan horse programs from being able to intercept users' names and passwords as they try to log on. The trusted path functionality in Windows NT comes in the form of its Ctrl+Alt+Delete logon-attention sequence. This sequence of keystrokes, which is also known as the secure attention sequence (SAS), always pops up a logon dialog box, so would-be Trojan horses can easily be recognized: a Trojan horse presenting a fake logon dialog box will be bypassed when the SAS is entered.
• Trusted facility management, which requires support for separate account roles for administrative functions. For example, separate accounts are provided for administration (Administrators), user accounts charged with backing up the computer, and standard users.

Windows 2000 meets all of these requirements through its security subsystem and related components.

The Common Criteria

In January 1996, the United States, United Kingdom, Germany, France, Canada, and the Netherlands released the jointly developed Common Criteria for Information Technology Security Evaluation (CCITSE) specification. CCITSE, usually referred to as the Common Criteria (CC), is becoming the recognized multinational standard for product security evaluation.

The CC is more flexible than the TCSEC trust ratings and has a structure closer to the ITSEC than to the TCSEC. The CC includes the concept of a Protection Profile (PP) to collect security requirements into easily specified and compared sets, and the concept of a Security Target (ST) that contains a set of security requirements that can be made by reference to a PP.

Windows 2000 will be rated using the CC rather than the TCSEC because the U.S. government no longer evaluates products against the TCSEC. You can find out more about the CC at www.radium.ncsc.mil/tpep/library/ccitse.