Ask the Expert

Win2k's C2 rating

Windows 2000 has been given a C2 security rating. Does it lose that rating when used in a network? Does it only have that rating when it's a stand-alone?


    Requires Free Membership to View

Yes and no. The "Orange Book" ratings are for systems that are not connected to a network. A computer system doesn't lose the rating when it's on a network, it simply doesn't apply. Let me give an analogy: If you buy a car that has a rating of 60MPG on the highway, that doesn't apply if you're pulling a trailer. Not because the rating is bogus, or the car is bad, but because circumstances are different than the rating measured.

On the other hand, this does indeed say a lot about the Orange Book ratings and how well they've aged over the last decade. They were designed for local, timesharing systems not connected to a network. In 2002, it's almost charming to think of a computer not connected to the Net, especially one used by more than one person.

I'll also note that in the past, when NT 3.5 had a C2 rating, NT had to run in C2 mode, too. The out-of-box install was *not* C2. I don't know what the situation is with Win2K, but I suspect it's similar.

If your real quandary is that someone is trying to justify the security of a Win2K network server because Win2K has a C2 rating, then that person is indeed merely displaying a little knowledge. A C2 rating has nothing to do with network security. It is about local, non-network security. A system with a C2 rating may be a secure network server. But it might not be, either, and the rating gives no guidance, alas.

If your real, real problem is that someone is telling you, "IIS must be secure because Windows 2000 has a C2 rating," then this person needs a visit from the clue fairy. Find a spare Wintel box, hand them a Win2K install CD and do a default install. Put it on the network and let bake. Orange Book ratings do not prevent applications from having bugs.


For more information on this topic, visit these other searchSecurity resources:
Best Web Links: Securing Microsoft Applications/Product
Online Event Archive: Securing your Windows NT/2000 infrastructure

This was first published in February 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: