Information Security Best Practices: 205 Basic Rules

Section 9: Operating System Security Rules

This section addresses best practices for setting up security within operating systems. Authentication, file protection, virus checking, file sharing, network software, and security logging are discussed.

9.1 Trusted Operating Systems

Trusted operating systems have security features built into the operating system. The National Computer Security Center's Rainbow series Orange Book, Trusted Computer Standards Evaluation Criteria describes several levels of trust including C1, C2, B1, B2, and B3. Currently, there are no commercial operating systems that have been certified beyond B1. These B1 operating systems are used primarily by the government. To secure systems with any level of confidence, operating systems that are capable of C2 or B1 security should be used in your network environment.

9.1.1 B1 Trusted Operating Systems

B1 level trusted operating systems are considerably more expensive than C2 level operating systems because they are used in very selective markets. As the commercial segment begins to deploy these operating systems in greater numbers, the price should come down. Currently, B1 operating systems should be used for government and military applications that need to transmit sensitive, but not secret, data and for commercial banking, financial services, and other commercial applications where security and confidentiality are very important.