Windows NT E3/F-C2 Evaluations

Last updated: April 28, 1999

On April 28th, 1999, the UK Government announced that Microsoft Windows NT Server and Workstation 4.0 had completed a successful evaluation under the ITSEC regime at the E3/F-C2 level. E3/F-C2 is widely acknowledged to be the highest ITSEC evaluation rating that can be achieved by a general-purpose operating system.

This success follows a trend established by previous versions of Windows NT Server and Workstation. Windows NT 3.51 was successfully evaluated under the ITSEC regime at the same E3/F-C2 level, and Windows NT 3.5 was successfully evaluated under the US Government's TCSEC regime at the roughly equivalent C2 level.

ITSEC is a widely respected security evaluation process that provides independent testing and evaluation of IT systems against standardized criteria and according to a formal methodology. ITSEC represents a single uniform standard adopted by the UK, France, Germany, the Netherlands and the European Commission and is comparable to the US Government's TCSEC, or "Orange Book", evaluation process. The value of both processes is the same - they provide the imprimatur of a trusted third party that has scrutinized the product and assessed the security it can provide.

The ITSEC regime evaluates products according to two criteria, the security features that the product provides (the so-called "functional class"), and the assurance that the product correctly and fully implements them. In the case of the Windows NT 4.0 evaluation, the "F-C2" part of the rating indicates the functional class, and the "E3" part indicates the assurance level.

The security features that are required at the ITSEC F-C2 level are similar to those required at the TCSEC C2 level. These include:

• Mandatory identification and authentication of all users on the system - The ability of the system to identify authorized users and to allow only them to access system resources

• Discretionary access control - The ability for users to protect their data as they desire.

• Accountability and Auditing - The ability of the system to thoroughly audit user and system actions.

• Object Reuse - The ability of the system to prevent users from obtaining information from resources that previously were used by others, for example, memory that has been released or files that have been deleted.

In addition, Windows NT 4.0 provides other features that go beyond those required by the F-C2 criteria. These include:

• A Trusted Path that allows users to ensure that logon requests and the like are handled only by the operating system

• Centralized security management features

• A sophisticated Domain Trust model

The assurance requirements at the ITSEC E3 level are similar to those required at the TCSEC C2 level. These include:

• Examination of source code

• Examination of detailed design documentation

• Retesting to ensure that any errors identified during the evaluation have been corrected.

The ITSEC evaluation reports for Windows NT and the certificates attesting to the successful completion of the process are available:

• Evaluation Report for Windows NT 3.51 E3/F-C2 Evaluation.

• ITSEC Evaluation Report for Windows NT 4.0 E3/F-C2 Evaluation.

For more information on the ITSEC process, see https://www.itsec.gov.uk.