|
|
|
|
| |
| On December 02, 1999, the US Government announced that Microsoft Windows NT Server and Workstation 4.0 had completed a successful evaluation at the C2 level according to the Trusted Computer System Evaluation Criteria (TCSEC). The TCSEC, more familiarly known as the "Orange Book", is perhaps the best-known governmental evaluation process for IT systems. C2 is widely acknowledged to be the highest evaluation rating that can be achieved by a general-purpose operating system. The Windows NT 4.0 evaluation included servers and workstations in six different roles, operating in both TCP/IP networked and stand-alone modes. |
| |
Credit:
For more information on the TCSEC process, see:
http://www.radium.ncsc.mil/tpep/.
|
| |
The TCSEC provides an evaluation by an independent third party against standardized criteria and according to a formal methodology known as the Trusted Products Evaluation Process (TPEP). Like the UK Government's ITSEC regime, the evaluation carries the imprimatur of a trusted third party that has scrutinized the product and assessed the security it can provide. Microsoft worked with SAIC, an approved TPEP laboratory, to ensure that it fully met all documentation and testing requirements.
The TPEP evaluates the security features that a product provides and the assurance that the product correctly and fully implements them. The security features that are required at the C2 level include:
* Mandatory identification and authentication of all users on the system - The ability of the system to identify authorized users and to allow only them to access system resources.
* Discretionary access control - The ability for users to protect their data as they desire.
* Accountability and Auditing - The ability of the system to thoroughly audit user and system actions.
* Object Reuse - The ability of the system to prevent users from obtaining information from resources that previously were used by others, for example, memory that has been released or files that have been deleted.
The assurance requirements at the C2 level include:
* Examination of source code
* Examination of detailed design documentation
* Retesting to ensure that any errors identified during the evaluation have been corrected.
|
|
|
|
|
|
|
|
|
|
