Q

Win2k's C2 rating

Windows 2000 has been given a C2 security rating. Does it lose that rating when used in a network? Does it only

have that rating when it's a stand-alone?


Yes and no. The "Orange Book" ratings are for systems that are not connected to a network. A computer system doesn't lose the rating when it's on a network, it simply doesn't apply. Let me give an analogy: If you buy a car that has a rating of 60MPG on the highway, that doesn't apply if you're pulling a trailer. Not because the rating is bogus, or the car is bad, but because circumstances are different than the rating measured.

On the other hand, this does indeed say a lot about the Orange Book ratings and how well they've aged over the last decade. They were designed for local, timesharing systems not connected to a network. In 2002, it's almost charming to think of a computer not connected to the Net, especially one used by more than one person.

I'll also note that in the past, when NT 3.5 had a C2 rating, NT had to run in C2 mode, too. The out-of-box install was *not* C2. I don't know what the situation is with Win2K, but I suspect it's similar.

If your real quandary is that someone is trying to justify the security of a Win2K network server because Win2K has a C2 rating, then that person is indeed merely displaying a little knowledge. A C2 rating has nothing to do with network security. It is about local, non-network security. A system with a C2 rating may be a secure network server. But it might not be, either, and the rating gives no guidance, alas.

If your real, real problem is that someone is telling you, "IIS must be secure because Windows 2000 has a C2 rating," then this person needs a visit from the clue fairy. Find a spare Wintel box, hand them a Win2K install CD and do a default install. Put it on the network and let bake. Orange Book ratings do not prevent applications from having bugs.


For more information on this topic, visit these other searchSecurity resources:
Best Web Links: Securing Microsoft Applications/Product
Online Event Archive: Securing your Windows NT/2000 infrastructure

This was first published in February 2002

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close