Problem solve Get help with specific problems with your technologies, process and projects.

Win2k's C2 rating

Windows 2000 has been given a C2 security rating. Does it lose that rating when used in a network? Does it only...

have that rating when it's a stand-alone?

Yes and no. The "Orange Book" ratings are for systems that are not connected to a network. A computer system doesn't lose the rating when it's on a network, it simply doesn't apply. Let me give an analogy: If you buy a car that has a rating of 60MPG on the highway, that doesn't apply if you're pulling a trailer. Not because the rating is bogus, or the car is bad, but because circumstances are different than the rating measured.

On the other hand, this does indeed say a lot about the Orange Book ratings and how well they've aged over the last decade. They were designed for local, timesharing systems not connected to a network. In 2002, it's almost charming to think of a computer not connected to the Net, especially one used by more than one person.

I'll also note that in the past, when NT 3.5 had a C2 rating, NT had to run in C2 mode, too. The out-of-box install was *not* C2. I don't know what the situation is with Win2K, but I suspect it's similar.

If your real quandary is that someone is trying to justify the security of a Win2K network server because Win2K has a C2 rating, then that person is indeed merely displaying a little knowledge. A C2 rating has nothing to do with network security. It is about local, non-network security. A system with a C2 rating may be a secure network server. But it might not be, either, and the rating gives no guidance, alas.

If your real, real problem is that someone is telling you, "IIS must be secure because Windows 2000 has a C2 rating," then this person needs a visit from the clue fairy. Find a spare Wintel box, hand them a Win2K install CD and do a default install. Put it on the network and let bake. Orange Book ratings do not prevent applications from having bugs.

For more information on this topic, visit these other searchSecurity resources:
Best Web Links: Securing Microsoft Applications/Product
Online Event Archive: Securing your Windows NT/2000 infrastructure

This was last published in February 2002

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.