TCSEC C-Level Security Considered "Excellent"
[Nov. 13, 1995] As part of a comparison of three major PC operating systems, INFOWORLD
provides an interesting mapping from their notion of security to the the Trusted
Computer System Evaluation Criteria (TCSEC) levels. The product comparison of Windows
95, Windows NT 3.1, and OS/2 Warp Connect, Version 3 included an assessment of security provided by each in terms of the access available to it when operated as an individual
workstation (not as the server end of a peer-to-peer connetion). A table accompanying
the ratings included the following correspondence between word scores and security ratings:
Security Rating / Word score
None / Unacceptable
Minimal / Poor
Low / Satisfactory
Moderate / Good
High / Very Good
TCSEC class C / Excellent
TCSEC class B / Excellent
TCSEC class A / Excellent
described its testing procedure as follows:
We assessed and configured each operating system's security based on its default
installation options. We created users and implemented a security policy on those
OSes that offered some form of security. The policy was as restrictive as possible
wihout hindering the capabilities of applications. We simulated users logging in to the
system either as a peer-to-peer workstation or as a client ot NetWare 4.10.
Features considered in the ratings, as listed, were passwords, unique IDs, access
control by owner, access control by owner/group/world to directories, and access
control by owner/group/world to files. A product providing all these features would
apparently be labeled "High" for security unless it also was found to contain security holes.
Users fell into three classes: super-users (or administrators), targets, and hackers.
The hackers attempted to change or delete the target user's workstation. At a minimum,
we expected the OSes to provide rudimentary security features. We lowered a product's score if we could in any way modify the environment of the target users or
were able to gain either information or indirect access to information about the
The results, in brief:
OS2/Warp Connect, Version 3
Poor -- aside from a simple desktop password, there is no security mechanism within
Poor: Windows 95 security should only be used as a deterrent to accidental damage.
The operating system can't stop a determined hacker.
Windows NT Workstation 3.51
Excellent. Windows NT offers government C2-level security with unique user IDs, token
control, and advanced auditing capabilities.