Yes and no. The "Orange Book" ratings are for systems that are not connected to a network. A computer system doesn't lose the rating when it's on a network, it simply doesn't apply. Let me give an analogy: If you buy a car that has a rating of 60MPG on the highway, that doesn't apply if you're pulling a trailer. Not because the rating is bogus, or the car is bad, but because circumstances are different than the rating measured.
On the other hand, this does indeed say a lot about the Orange Book ratings and how well they've aged over the last decade. They were designed for local, timesharing systems not connected to a network. In 2002, it's almost charming to think of a computer not connected to the Net, especially one used by more than one person.
I'll also note that in the past, when NT 3.5 had a C2 rating, NT had to run in C2 mode, too. The out-of-box install was *not* C2. I don't know what the situation is with Win2K, but I suspect it's similar.
If your real quandary is that someone is trying to justify the security of a Win2K network server because Win2K has a C2 rating, then that person is indeed merely displaying a little knowledge. A C2 rating has nothing to do with network security. It is about local, non-network security. A system with a C2 rating may be a secure network server. But it might not be, either, and the rating gives no guidance, alas.
If your real, real problem is that someone is telling you, "IIS must be secure because Windows 2000 has a C2 rating," then this person needs a visit from the clue fairy. Find a spare Wintel box, hand them a Win2K install CD and do a default install. Put it on the network and let bake. Orange Book ratings do not prevent applications from having bugs.
For more information on this topic, visit these other searchSecurity resources:
Best Web Links: Securing Microsoft Applications/Product
Online Event Archive: Securing your Windows NT/2000 infrastructure
This was first published in February 2002