Re: Hack Microsoft NT C2 Rating?
At 07:27 AM 9/26/95 -0700, todd@lgt.com (Todd Glassey) replied to Ray:
So, if one can find bugs in NT's security, one can toss a little more egg on the NSA's face and the sham that part of their activies to *help* to secure american computers. A simple violation of NT's C2 status would be to demostrate a flaw in it's memory protection implementation.
One of the bigger cracks on VMS was after it got its C2 rating; a strong system doesn't do you much good if you don't change the default passwords for the SYSTEM and FIELD service accounts :-) I'm more surprised by the rating since the Orange Book is basically for non-networked systems; Red Book rating is _much_ harder, unless the NSA's taking a different view of trustability of software encryption for authentication purposes than they used to.
As per NT's orange book C2 Rating... C2 is about the lowest level of Secure that you can get. In fact I personally am unimpressed, rather it is a box on an RFQ that gets checked. Very few people run C anything sites in reality.
A C2 rating says that most of the obvious bugs have been found, access to the system and individual files requires authentication, and you can do an audit trail to find out who accessed what data when. Ignoring networks, that's not too bad. But, yeah, one of the big reasons for C2 rating is that government RFPs generally require C2 security, at least for military or sensitive non-military purchases. B-level ratings give you multi-level security, so you can run SECRET and CONFIDENTIAL on the same box; it's not a very useful security model for non-military applications, but does let you do a better-trusted job of system integrity.
IMHO - Military sites passing real classified data usually are not run on anything as low as C2. If you want a secure os, look at the Harris Computer Corp's B1-Certified version of ES/MP UNIX (they call it CX/SX).
For fun ways to hack NT, check out http://www.somar.com/security.html. Some of these are really laughable. You can use NT's LogonUser API call to repeatedly guess passwords until you hit it, since NT offers no way to limit number of login attempts. That's the kind of thing that would get changed for a C2 version, just as the Unix login program had to be souped up for C2 and B1. Even adding a constant delay, or an increasing delay after bad attempts, is a good start for systems like that. (It turns out that logging user names on bad attempts has to be done carefully to avoid increasing risk - if users get out of sync on typeahead when entering their login and password, you can end up logging
Hah. Maybe it's changed since I was working with the AT&T System V/MLS folks, but the vast majority of classified processing back then was done on unrated or C2 systems running System High - everybody's cleared, and the boxes with the classified stuff aren't connected to the outside except by limited sneakernet. You can get a _lot_ of security by keeping your computers in locked rooms, and the average PC of those days could fit in a big safe at night even if it couldn't fit in a locked file cabinet. (And floppy disks or external shoeboxes were easy to lock up.) Dan B. wrote passwords, which was especially bad when that sort of data got printed on the paper console...) #--- # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #---
I'm more surprised by the rating since the Orange Book is basically for non-networked systems; Red Book rating is _much_ harder, unless the NSA's taking a different view of trustability of software encryption for authentication purposes than they used to.
I'm a little sceptical as to the relevance of C2. It is a set of criteria that is now very old and concerns military security where people can be told what to do. One way in which securoty systems often fail is in the security structure being so suffocating that people have to poke air holes in it so they can breathe. I think that c2 is possibly the limit of orange/red bookishness that is reasonable to work to. It is not a trivial level of security however, UNIX despite all the claims has never been shipped as C2 secure as standard by a mainstream vendor. Even requirements involving trivial effort but which are extreemly important such as the writing of a users security guide have never been taken seriously on any of the UNIX platforms on which I have worked. Phill
hallam@w3.org writes:
I think that c2 is possibly the limit of orange/red bookishness that is reasonable to work to. It is not a trivial level of security however, UNIX despite all the claims has never been shipped as C2 secure as standard by a mainstream vendor. Even requirements involving trivial effort but which are extreemly important such as the writing of a users security guide have never been taken seriously on any of the UNIX platforms on which I have worked.
A slight correction: SCO shipped the C2 version of their Open Desktop 1.1 as the standard (in fact, only) version a few years back. The howls of outrage from their customer base (due to the non-standard-Unix behavior) caused them to back off in the next major release. Last time I tried to install their software, C2 had been made an option. (Of course, AFAIK, they never actually completed a C2 evaluation.) -- Jeff
participants (3)
-
Bill Stewart -
hallam@w3.org -
Jeff Barber