Information Security Best Practices: 205 Basic Rules

9.2: Authentication

9.2 Authentication

INFOSEC Best Practice #68

All server operating systems must have a minimum of a C2 level of trust.

C2 is a government designation for computer security that requires computers to have the ability to control access to the computer via usernames and passwords, and protect files by assigning ownership and access rights. Desktop operating systems are recommended to have at least C2 compliance to protect individual systems from unauthorized access. Without these features the data on a computer system is vulnerable to anyone having access to the physical system. Some versions of operating systems have most of the C2 features yet are not C2 compliant. This may be acceptable upon review of the missing features. Most systems such as UNIX and NT can be configured to meet C2 compliance. C2, however, is somewhat dated and has many limitations. Securing most server based operating systems will require going beyond C2 compliance with configuration and protection as specified in the Best Practices outlined in this manual. The government also has more stringent security designations such as B1, B2, and B3. Mission-critical server operating systems may need to have B2 compliance. These security levels address the carrying of classification tags on all data. Data objects are tagged with a classification level such as secret, classified, confidential and unclassified. Access to these data objects is available only to other objects that carry the correct classification level. This type of classification scheme may also be applied to corporate data with differing levels of...