C2 rating aside, NT isn't secure

Even as Microsoft Corp. begins capitalizing on the National
Security Agency's recent C2 certification of Windows NT, computer security experts warn
that NT can be penetrated easily by unauthorized users with basic programming skills.

Industry sources say the vulnerabilities in Windows NT and other C2 operating systems
create a golden opportunity for computer-literate moles throughout the Defense Department.

According to DOD security criteria, a C2 rating is supposed to guarantee that an
operating system can prevent unauthorized access to specific files on a computer and
generate an uneraseable audit trail of attempts to gain access.

But at the Armed Forces Communications and Electronic Association's TechNet conference
in Washington this spring, dozens of attendees watched as Robert Wainright, a Camden,
N.J., computer security consultant, used commercial utilities to read, copy and delete
protected data on the hard drive of a PC running Microsoft Windows NT--all without leaving
a trace.

Wainright exploited the so-called "boot floppy" vulnerability of PCs with
Intel Corp. microprocessors and floppy disk drives. By interrupting a normal boot-up from
the hard drive, a user can invoke the system setup routines and boot from the floppy.
Using assembly language utilities, an intruder then can read, copy or delete files from
the hard drive, all without ever invoking the operating system and its security features.

NSA's National Computer Security Center certified Windows NT at the C2 level on July
31. Over the past three years, DOD has bought close to 100,000 copies of NT. Users include
the 1,400 people on the top-secret dedicated network that serves the Joint Chiefs of
Staff.

Now the Defense Information Systems Agency plans to install Windows NT on every system
connected to DISAnet, a 6,500-node, sensitive but unclassified network. The agency will
use Windows NT even though a recent DISA-commissioned study questioned the program's
security.

As part of its efforts to evaluate the security features of Windows NT, DISA earlier
this year hired I-NET Inc. in Bethesda, Md., to conduct an independent security review of
the operating system. I-Net used Version 3.5 of Windows NT for its review.

In a report dated June 16, parts of which were obtained by GCN from a source outside
the company and DISA, I-NET concluded that although the software did provide
"significant improvements in embedded network security," the boot floppy
vulnerability "makes Windows NT incapable of providing the required C2 security
features in the areas of identification and authentication, discretional access control or
audit protection for the "secure' operating system."

Sarah Jane League, DISA's chief information officer, told GCN that she was not aware of
the report's conclusions and that she has approved the Windows NT installations.

"We look to NSA for authority on these matters," League said in response to a
question about the vulnerability, "and they have just certified Windows NT as a C2
system."

NSA said in response to questions submitted by GCN that "it is not possible for
any operating system to be evaluated under the Trusted Computer System Evaluation Criteria
and receive a C2 rating if that operating system and host hardware platform does not
prevent unauthorized "booting from a floppy drive.' "

According to Kenneth Moss, head of the Windows NT C2 certification team at Microsoft,
the apparent contradiction is explained by the fact that the two ProLiant computers from
Compaq Computer Corp. on which Windows NT was evaluated by NCSC had floppy drives that
wer'MDUL''MDNM'e disabled.

NSA tends to relegate floppy-drive vulnerabilities to the "physical security"
arena, Moss said. This includes any measure, from removing the floppy drive each night to
installing a Fortezza encryption card, that can make it difficult for an intruder to boot
from the floppy.

Moss acknowledged that a smart user certainly could bypass NT's security features.
"We've done everything we can from a software perspective to prevent this from
happening," he said. The responsibility ultimately rests with system administrators
who must restrict user access to each system's power switch, floppy drive and the computer
case itself, he suggested.

But industry security experts said real-world users of C2-level systems rarely follow
such cumbersome guidelines. When C2 systems are used by security-cleared personnel in
restricted facilities, the users often begin to regard extra precautions as unnecessary.

Critics of the current C2 criteria say the reliance on physical security is at odds
with DOD's own C2 definitions, which don't distinguish between software and hardware.
Indeed, a May 1992 addendum to the Trusted Computer System Evaluation Criteria, or Orange
Book, explicitly states that C2-level security features "must be both tamperproof and
non-compromisable."

Security experts say the contradictions result from the application of an obsolete
security paradigm. "The Orange Book is a product of the mainframe era, when everyone
was sharing one big computer that was locked behind a glass box where only the system
administrator could get to it," one security consultant said.

The solution, some suggested, would be to expand requirements for C2 certification to
include user-friendly hardware security features that would preclude booting from the
floppy drive but still give users a reasonable level of independence.

Several of the industry sources who spoke to GCN for this article are associated with
companies that sell such products, usually plug-in circuit cards known as "hardware
reference monitors." Costing between $100 and $300 apiece, depending on features,
these products let users disable or lock the floppy drive, encrypt the hard drive and
invoke other security features that work in tandem with operating system security.

A senior executive at Fischer International Systems Corp. in Naples, Fla., said that
over the past three years the company has sold DOD customers "over 100,000
copies" of its Watchdog PC security product, which provides boot floppy protection
and other features.