|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Windows NT 4.0 and C2 - New certs
Subject: Re: Windows NT 4.0 and C2 - New certs
From: Scott Morizot (tmorizot
ADC.IS.IRS.GOV)
Date: Fri Dec 03 1999 - 15:06:26 CST
- Next message: Matthew Pemble: "Re: Windows NT 4.0 and C2 - New certs"
- Previous message: Paul L Schmehl: "Re: Windows NT 4.0 and C2 - New certs"
- In reply to: Kevin_E_WetzelNOTES.TCS.TREAS.GOV: "Re: Windows NT 4.0 and C2 - New certs"
- Next in thread: Colin Rous: "Re: Windows NT 4.0 and C2 - New certs"
- Next in thread: Anonymous Anonymous: "Re: Windows NT 4.0 and C2 - New certs"
- Reply: Scott Morizot: "Re: Windows NT 4.0 and C2 - New certs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 3 Dec 99, at 14:54, Kevin_E_WetzelNOTES.TCS.TREAS.GOV wrote:
> This seems strange to me since no government agency in sound judgement would put
> anything above sensitive on a Microsoft platform. I would like ask a question
> and see if anyone could provide some feedback on this topic. First of all it was
> previously stated that NT Server was not C2 certified unless it was disconnected
> from the network. This recent information appears to say that NT is C2 certified
> when connected to the network. I would love to show you all the plain text
> authentication packets that are sent over a network using this OS and then ask
> if you still think its C2 secure. Any comments would be welcomed.
The details aren't published yet. Those will tell a lot. As I recall,
the target environment for the E3 certification had a lot of specific
requirements, including excluding all non-NT systems from the network
and specifically excluding applications like Exchange Server.
Microsoft has a history of obtaining functionally useless certifications
for the benefit of their sales staff. The real test will be whether
the system and environment specified for this certification even
vaguely resemble anything that's likely to exist in a real production
environment.
Although with the move to the Common Criteria and the recently
published Controlled Access Protection Profile, the point is less
important, I should note that in the Rainbow series, the Orange
book does not consider network security. It deals with the
internal security of multi-user systems and applications
only. The additional network-related criteria are in the
Red book, something that was notably not mentioned on Microsoft's
web site.
Scott Morizot
Common Criteria:
http://www.radium.ncsc.mil/tpep/library/ccitse/index.html
Protection Profiles:
http://www.radium.ncsc.mil/tpep/library/protection_profiles/index.html
Scott Morizot
Austin Development Center
IS:SD:CT:CA http://www.adc.is.irs.gov/
work: tmorizotadc.is.irs.gov (512) 460-2605
home: tmorizotccsi.com
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Matthew Pemble: "Re: Windows NT 4.0 and C2 - New certs"
- Previous message: Paul L Schmehl: "Re: Windows NT 4.0 and C2 - New certs"
- In reply to: Kevin_E_WetzelNOTES.TCS.TREAS.GOV: "Re: Windows NT 4.0 and C2 - New certs"
- Next in thread: Colin Rous: "Re: Windows NT 4.0 and C2 - New certs"
- Next in thread: Anonymous Anonymous: "Re: Windows NT 4.0 and C2 - New certs"
- Reply: Scott Morizot: "Re: Windows NT 4.0 and C2 - New certs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Dec 03 1999 - 18:16:57 CST