C2 Security Overview

TECHNOLOGY BRIEF

Microsoft Windows NT Server
Network Operating System

Today, computer networks are becoming increasingly important to most businesses. Networks are used to share key information and resources among many users throughout organizations of various sizes. Frequently, the information stored on network servers, such as the Microsoft® Windows NT™ Server operating system, is secure information that is intended for use only by specific individuals. Therefore, the ability of these networks to prevent unauthorized access to information is paramount to the security and competitiveness of an organization.

The Characteristics of a Secure System—C2 and Beyond

A secure network system has many characteristics. A baseline measurement of a secure operating system is the U.S. National Security Agency's criteria for a C2-level secure system. While C2 security is a requirement of many U.S. government installations, its substantial value extends to any organization concerned about the security of its information. The following are some of the most important requirements of C2-level security.

Discretionary Access Control

The owner of a resource, such as a file, must be able to control access to the resource.

Object Reuse

The operating system must protect data stored in memory for one process so that it is not randomly reused by other processes. For example, Windows NT Server protects memory so that its contents cannot be read after it is freed by a process. In addition, when a file is deleted, users must not be able to access the file's data even when the disk space used by that file is allocated for use by another file. This protection must also extend to the disk, monitor, keyboard, mouse, and any other devices.

Identification and Authentication

Each user must uniquely identify himself or herself. With Windows NT Server, this is achieved by typing a unique logon name and password before being allowed access to the system. The system must be able to use this unique identification to track the activities of the user.

Auditing

System administrators must be able to audit security-related events and the actions of individual users. Access to this audit data must be limited to authorized administrators.

In addition to meeting the U.S. government's C2 requirements, there are certain "real world" security problems that a fully secure system must also solve. These real world security issues tend to fall into two categories: managing security and using security. Windows NT Server is designed to meet the requirements for a C2 secure system while also providing excellent tools for both managing and using these comprehensive security features.

C2 Security--Requirements Defined

The requirements for a C2 secure system are articulated by the U.S. Department of Defense's National Computer Security Center (NCSC) in the publication Trusted Computer System Evaluation Criteria, also known as the "Orange Book." All systems, whether they are network operating systems or standalone operating systems, are evaluated under the criteria set forth in the Orange Book. Windows NT Server was designed from the ground up to comply with the NCSC's C2 requirements. Microsoft and the NCSC have worked closely throughout development to ensure that both Windows NT Workstation and Windows NT Server comply with the government's requirements for a C2 secure system.

The NCSC has published different "interpretations" of the Orange Book. These interpretations clarify Orange Book requirements with respect to specific system components. For example, the NCSC's Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria, or "Red Book," is an interpretation of Orange Book security requirements as they apply to the networking component of a secure system. The Red Book does not change the requirements; it simply indicates how a network system should operate in order to meet Orange Book requirements for a C2 secure system.

There is a complete set of Orange Book interpretations published by the NCSC that assist vendors in ensuring that their systems comply with Orange Book requirements. Just as the Red Book is an interpretation of the Orange Book for network systems, there is also a Blue Book that interprets the Orange Book for subsystem components, and other books for other components. Products are only listed on the NCSC's C2 Evaluated Products List after a lengthy, detailed evaluation process.

C2 Security in Windows NT Server

Windows NT Server 4.0 is being evaluated as the networking component of a secure system, the Red Book interpretation of the Orange Book guidelines. This evaluation is another phase of the same evaluation Windows NT Server began 3 years ago and the same one that produced C2 evaluation of the base operating system.

Both Windows NT Server 3.5 and Windows NT Workstation 3.5 operating systems were posted to the NCSC's Evaluated Products List in June 1995 as Orange Book evaluated, and are currently in the formal phase of the Red Book and Blue Book interpretations. This means that the evaluation of Windows NT Server as a standalone system (the "node") is complete; and that the evaluation of the networking functions and all other relevant components is still in process. After this first listing, the NCSC will continue evaluating additional components of the Windows NT operating system and add them to the list of evaluated products. Microsoft designed the Windows NT operating system to be a complete, secure solution that includes the desktop, server, and network. Other vendors, such as Novell, cannot claim such a comprehensively secure environment because they cannot provide C2 level security at all of these points.

Microsoft first signed a Letter of Agreement with the NCSC to evaluate Windows NT Server for C2 compliance in early 1992. Since then, we have worked closely with the NCSC to ensure C2 compliance of the Windows NT platform. Attaining the Orange Book evaluation of the base operating system means that the NCSC has found the core components of the Windows NT Server operating system to be C2 compliant, and that customers can use Windows NT Server as a component in building their C2 certifiable systems.

Windows NT Server 3.51 is also being evaluated as the networking component of a secure system—the Red Book interpretation of the Orange Book guidelines. This evaluation is not a new evaluation of Windows NT Server. Rather, it is another phase of the same evaluation Windows NT Server began 3 years ago and the same one that produced C2 evaluation of the base operating system.

In addition to its C2 evaluation, the Windows NT Server operating system is being evaluated in Europe for a similar E3 rating. This will allow customers in both the U.S. and Europe to operate certifiably secure systems. Microsoft began working with the NCSC back in July 1992. Novell began the C2 evaluation of NetWare® 4.1 in 1995. Novell faces many months of detailed work before NetWare can even be considered for the NCSC's Evaluated Products List. Today, the Windows NT platform offers a C2 evaluated "node" and is in the process of being evaluated as part of a C2 certifiable "network." In the meantime, there is a product available today from Global Internet, Inc. (TNT™ v.2.1) that utilizes the Windows NT Server C2 evaluated base and provides B1 level security for network communication.

Windows NT Server C2 Implementation

The Windows NT Server C2 implementation is entirely software-based. This means that users will not have to install additional hardware on either their servers or clients to meet C2 level security requirements. Some other vendors, most notably Novell, include a hardware component that provides some or all of the C2 security characteristics. In Novell's case, the hardware component is a client supplied by Cordant, Inc. that contains a CPU, memory, expansion BIOS, DES encryption hardware, network interface, and a hard disk controller. This component intercepts all file and NetWare server requests and routes them through the Cordant® card, effectively displacing the NetWare operating system for certain kernel functions.

Cordant's client component further provides two essential aspects of the C2 evaluation that NetWare 4.1 lacks: Discretionary Access Control and Identification and Authentication. In fact, without a component such as the Cordant client, the "off-the-shelf" version of NetWare 4.1 could not be C2 evaluated at all. While the Cordant product is essential for NetWare's C2 "red book" evaluation, there are a number of severe limitations the Cordant client imposes on NetWare, including:

• The Cordant client needs to be installed in every workstation, at great expense and difficulty.

• Only MS-DOS®-based clients are supported today (though Cordant promises to eventually offer a Windows-based client).

• IPX/SPX is the only protocol being evaluated.

• All workstations must be configured identically.

Windows NT (both the server and the workstation), by comparison, was designed from the ground up to be C2 secure. This means that every process and feature was designed with C2 level security in mind. In fact, Windows NT Server is so secure that certain processes (identification and authentication, and the ability to separate a user from his/her functions) meet B2 security requirements, a level of security that is even more strict than C2. Designing an operating system this way—as opposed to adding components on top of an already complete operating system—has certain benefits such as cost efficiency, reliability and robustness. As the NCSC says in the Final Evaluation Report of the Windows NT operating system: "[w]hen security is not an absolute requirement of the initial design, it is virtually impossible through later add-ons to provide the kind of uniform treatment to diverse system resources that Windows NT provides."1 Windows NT Server is secure from the ground up.

Solving Real World Security Problems

While following the C2 guidelines is extremely valuable in developing a secure operating system, there are a number of key "real world" problems that the C2 guidelines do not directly address. Since the primary objective of the C2 guidelines is to provide users with a truly secure, usable system, Microsoft went significantly beyond the implementation of C2 requirements in the development of Windows NT Server security.

From a management perspective, Windows NT Server provides comprehensive tools to help administrators maintain security in their environments. For example, an administrator can specifically control which users have access rights to which network resources. These resources include files, directories, servers, printers, and applications. Rights are defined on a per resource basis and can be managed centrally from any single location.

User accounts are also managed centrally. The administrator can specify group memberships, logon hours, account expiration dates, and other user account parameters via easy to use, graphical tools. The administrator can also audit all security related events such as user access to files, directories, printers and other resources and logon attempts. The system can even be set to "lock out" a user after a prescribed number of failed logon attempts. Administrators can also force password expiration and set password complexity rules so that users are forced to choose passwords that are difficult to discover.

From the user's perspective, Windows NT Server security is complete, yet easy to use. A simple password-based logon procedure gives them access to the appropriate network resources. What the user does not see are processes, such as the system-level encryption of their password so that it is never passed over the wire. This encryption prevents unauthorized discovery of a user's password through wire "sniffing."

Users are also able to define access rights for any resource they own. For example, if a user needs to share a specific document with other users, he or she can specify exactly who has read and write access to that document. These rights are easily assigned through the familiar Windows File Manager. Of course, access to organizational resources is fully managed only by authorized administrators.

An even deeper example of Windows NT Server's security capabilities is its protection of data, even while that data is in a machine's physical memory. Windows NT Server allows only authorized programs to access data. When such a program accesses data, that data is placed in physical memory. Despite the fact that the data is no longer only on the disk, Windows NT Server still protects it from unauthorized access. No unauthorized program will be able to access that data while it is in memory. Therefore, it is impossible for a rogue application to take advantage of another application's use of data while that data is in the physical memory of a machine.

Windows NT Server—Built to be Secure

Building a secure network operating system requires careful planning. Security features must be included throughout the system. The file system, user account directory, user authentication system, memory management, environment subsystems and other components all require special design consideration if the system is to be secure. Microsoft made security a design goal of the Windows NT Server operating system. Before the system was built, security features were designed into every facet of the operating system. This early planning and design was critical to the successful development of a secure system and ensures Microsoft's continuing ability to provide comprehensive, usable security in Windows NT Server.