C2 evaluation and certification for Windows NT

Article translations Article translations
Article ID: 93362 - View products that this article applies to.
This article was previously published under Q93362
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page


C2 refers to a set of security policies that define how a secure system operates. The C2 evaluation process is separate from the C2 certification process. As of August 1995, National Security Agency (NSA) granted the C2 security rating for Windows NT Server and Workstation version 3.5. As a result these operating systems are on the Evaluated Products List (EPL).

Windows NT Server and Workstation version 3.51 has been granted the security rating of E3/F-C2 though a similar evaluation process in the UK.

For security evaluation for Windows 2000 and beyond, see the following Microsoft Web site:
NOTE: This does not mean that Windows NT is C2 certified (no operating system is ever C2 certified). Certification applies to a particular installation, including hardware, software, and the environment that the system is in. It is up to an individual site to become C2 certified.


The requirements for A-, B-, C-, and D-level secure products are outlined in the Trusted Computer System Evaluation Criteria (TCSEC) published by the National Computer Security Center (NCSC). This publication is referred to as the "Orange Book," and is part of NSA's security "rainbow series." Security level requirements are open to interpretations that change over time. When undergoing evaluation, each vendor negotiates with the NSA about whether or not the details of its particular system implementation conform with the abstract security policy concepts in the NSA's books. The vendor must provide evidence that the requirements are being met.

Microsoft has opted not to include certain components of Windows NT in the evaluation process, not because they would not pass the evaluation, but to save time by reducing the load on the NSA. Additionally, the MS-DOS/Windows on Windows (WOW) system may be treated as a Win32 application and would therefore not need to be evaluated as part of the Trusted Computer Base (TCB). Networking on NT may not have to go through the "Red Book," or "Trusted Network Interpretation." It may be enough to consider networking to be another subsystem, and therefore only the Orange Book would apply. New or modified components and other hardware platforms can go through a "RAMP" process to be included in the evaluation at a later time.

C2 Overview

The security policy in C2 is known as Discretionary Access Control (DAC). In the Windows NT implementation, the basic idea is that users of the system:

  • Own objects
  • Have control over the protection of the objects they own
  • Are accountable for all their access-related actions
C2 classification does not define a substantive security system in the sense of classified or unclassified data. (B-level security assumes the existence of an independent security classification system and enforces that system, but does not specify the substance of the classification system.)

For example, in Windows NT, every object (file, Clipboard, window, and so on) has an owner; any owner can give or not give other users access to its objects. The system tracks (audits) your actions for the administrators (that is, the system administrator can track the objects you accessed, both successes and failures).

The key distinction between C-level and B-level security is in the notion of access control. In a C2 (DAC) system, owners have absolute discretion about whether or not others have access to their objects. In a B-level, or Mandatory Access Control (MAC) system, objects have a security level defined independently from the owner's discretion. For example, if you receive a copy of an object marketed "secret," you can't give permission to other users to see this object unless they have "secret" clearance. This is defined by the system independent of your discretion. MAC involves the concept of "data labeling," which is the creation and maintenance by the system of security "labels" on data objects, unalterable by users (except in certain cases under system control and auditing). An administrator can get access to anyone's objects, although it may require some programming to do so (that is, the user interface won't expose this power).

You can obtain more information on this process, including frequently asked questions, a copy of the evaluated products list, and copies of TCSEC and other documentation, visit the following Web site:

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.


Article ID: 93362 - Last Review: February 28, 2014 - Revision: 5.4
  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
kbnosurvey kbarchive KB93362

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com