Windows NT Security Systems

The starting point for strong Internet security is the operating system of any machine connected to it. Fortunately for the organizations using IIS 4.0, strong levels of security were built into the core of Windows NT in order to meet and exceed certifiable security standards, i.e. the C2 security guidelines required by the U.S. Department of Defense's evaluation criteria. Windows NT security contrasts sharply with the thin and weak security layers that are bolted on to the top of some other operating systems.

Compliance with the C2 security standard was originally only required for government organizations. However, many commercial organizations are demanding the same level of security, and they recognize the value that such standards offer. The main requirements for C2 compliance are:

The C2 guidelines are applicable to standalone systems, and are specified in the document Trusted Computer System Evaluation Criteria (TCSEC). Fortunately, to make life simpler, this is often referred to as the Orange Book, thanks to the color of its cover. Other specifications that expand on the Orange Book include the Red Book for networking, and the Blue Book for subsystems.

Obtaining C2 certification is a long and complex task, and Microsoft are pushing hard for complete certification. Windows NT has passed the Orange Book certification process (for a standalone PC, not connected to a network) and is on the DOD's official list of evaluated products. At the time of writing, Windows NT 4.0 is undergoing Red and Blue book evaluations.

© 1998 by Wrox Press. All rights reserved.