If you need C2 security, you'll have to stick with NT 4.0

If you need C2 security, you'll have to stick with NT 4.0

By Susan M. Menke

GCN Staff

Agencies that have a 'hard requirement' for C2 security will have to wait two or more years before adopting Microsoft Windows 2000, says James Arnold, technical director of Science Applications International Corp.'s Trusted Technology Assessment Program laboratory.

Arnold's TTAP team in Columbia, Md., last month announced the C2 certification of amended versions of the 4-year-old Windows NT 4.0 Server and Workstation operating systems under the National Security Agency's Trusted Computer System Evaluation Criteria. Arnold said agencies' existing installations of NT 4.0 Server and Workstation must have NT Service Pack 6 and several hot fixes installed to qualify at the C2 security level.

C2 certification has been a moving target for NT 4.0 for several years [GCN, Oct. 26, 1998, Page 8]. Until the SAIC lab completed its work, NT 3.5 had been the only C2-certified Microsoft OS.

Specific environment

The San Diego company's lab, with Microsoft funding and NSA supervision, tested the NT 4.0 OSes on Compaq Computer Corp. uniprocessor and multiprocessor systems in networked and standalone modes.

The configurations included ProLiant 6500 and 7000 servers and Compaq Professional Workstation 5100s and 8000s, in addition to a Hewlett-Packard Co. digital audio tape drive and HP LaserJet printers.


Strictly speaking, only those specific configurations are C2-certified with NT 4.0.


The required NT Service Pack 6 and hot fixes are downloadable from the Web at www.microsoft.com. Arnold said the software fixes also can be obtained on CD-ROM from Microsoft Corp.

'Lots of requests for proposals require C2 or the equivalent,' Arnold said. 'C2 means the OS can identify and authenticate users and can control and audit their access to data.'

The lab's certification effort began with NT 4.0 Service Pack 3 and continued through packs 4, 5 and 6. Work will now begin on Windows 2000. 'The evaluation process is still evolving,' he said.

Arnold and Frank Simmons, vice president at SAIC's Center for Information Security Technology, said the lab also is evaluating Microsoft SQL Server.

inside gcn

  • Phishing

    Phishing is still a big problem, but users can help shrink it

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above