The National Computer Security Center (NCSC) was formed to help businesses and home users protect proprietary and personal data. The first goal of the NCSC was to create a document containing the technical standards and criteria to be used in evaluating computer systems. The NCSC also established a process by which software venders such as Microsoft could submit their security-related products for evaluation.
NCSC Security ratings range from "A" to "D," in which "A" represents the highest security. The "C" rating is generally applied to business software. Each rating is further divided into classes. For example, in the "C" division, software may be rated either "C2" or "C1," with "C2" representing the higher security. The most important feature requirements for operating systems rated "C2" focus on the following features.
An operating system must be able to define and control its users' access to objects (such as files and directories), provide a way for users to uniquely identify themselves, provide a way to audit security-related events and actions of individual users, and protect one process from accessing the data for another process.
For discretionary access and control, Windows NT enables an administrator or user to determine who can access files and how those files will be accessed. Other uses of Windows NT can be controlled, such as access to printers and network-server sharepoints.
Identification and authentication in Windows NT is achieved through the logon Secure Attention Sequence. All users must log on to start Windows NT. When a Windows NT users type their usernames and passwords to log on locally, they must first press Control+Alt+Delete to verify that no Trojan Horse programs are present. (A Trojan Horse is a program that can capture a user's logon information, thereby providing network access.) Because each user has a unique user name, domain name, and password combination, Windows NT can assure a user's unique identity.
Using Windows NT, a system administrator can audit all security events and user actions. The User Manager enables an administrator to specify which events (such as logon or file access) will be monitored. All audited information is stored in the Event Log, which can be viewed in Event Viewer.
One of the important issues in software security is object reuse. In a secure operating system, such as Windows NT, all allocation and deallocation of objects (such as files, directories, and memory) must be protected. Only users with proper access permissions should be allowed access. In Windows NT, this is achieved through a robust object manager that either initializes or zeros out objects before presenting them to a user.
The process of software evaluation is comprehensive. The NCSC evaluation is based on a series of standards published in the "Orange Book." Additional documents cover the evaluation process and are collectively referred to as the "Rainbow Series."
The evaluation process begins when a software vendor presents a proposal to the NCSC, requesting the evaluation process. If approved, the software vendor must demonstrate to the NCSC that the product design and supporting documentation are complete. If satisfied, a team of NCSC evaluators are assigned to evaluate the new product. The most time-consuming part of the process is the evaluation itself. As part of the evaluation, the NCSC evaluators look at each aspect of the system to confirm that security has been properly implemented and to assess that security-testing of the system is complete. Once satisfied, the software is presented to the NCSC Technical Review Board for final approval. If approved, an entry is placed on the Evaluated Products List, indicating the success. The NCSC evaluation team releases a Final Evaluation Report, which covers all evaluated aspects of the software.
Microsoft began the process of the Windows NT Platform evaluation in 1991. In July 1995, Microsoft met its first milestone: a C2 Orange Book listing of the base operating system of the Windows NT Platform version 3.5 (with Service Pack 3).
The Windows NT operating system also received NCSC recognition for two B-level features: B2 Trusted Path and B2 Trusted Facility Management.
For example, Windows NT provides separate administrative roles for Administrators, users tasked with backups, users tasked with administrating printers, privileged Power Users, and Users.
Microsoft is currently involved in evaluating the Windows NT Platform version 4.0 to obtain the rating of C2 in a homogeneous networked environment. The NCSC publication "Trusted Network Interpretation," also called the "Red Book," serves as an interpretation of the Orange Book, as it applies to networking for this evaluation.
The typical NCSC security-evaluation cycle takes longer than the product release cycle of Windows NT. No significant changes have been made to the Windows NT security model from version 3.5 to versions 3.51 and 4.0.
The United Kingdom and Germany have an evaluation process similar to the one in the United States. This is the Information Technology Security Evaluation Criteria (ITSEC). In 1996, the Windows NT version 3.51 platform (in a homogeneous network environment) will complete its first ITSEC evaluation. Windows NT version 3.51 is seeking a C2 rating with an assurance rating of E3. In an ITSEC evaluation, the assurance rating given to a product indicates the level of analysis and supporting documentation used in developing the product. The greater the assurance rating, the higher the assurance. An E3 rating is typically mapped to the level of analysis performed in a "B" level evaluation.
In the Windows NT Final Evaluation Report, the NCSC security evaluators wrote, "One of the major initial design goals for Windows NT was to assure C2-level security through an integral, uniform protection mechanism. All system resources are treated as objects, and thus a single security 'gate' can be the protection component that all users must pass through to acquire system resources.
"This results in much greater assurance that the system meets the applicable security criteria, because a single security mechanism is easier to understand and to verify then multiple ad hoc mechanisms. When security is not an absolute requirement of the initial design, it is virtually impossible through later add-ons to provide the kind of uniform treatment to diverse system resources that Windows NT provides."
For more information on the security design of Windows NT, see Microsoft Windows NT 3.5 Guidelines for Security, Audit, and Control, published by Microsoft Press, and the Microsoft Web Server.