Where will Vista fit in with the Bell-Padilla Security Model. Will the
security be comparable to that of Unix.
pestocat

Make that the Bell-LaPadula Model, sorry about misspelling.



"pestocat" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Where will Vista fit in with the Bell-Padilla Security Model. Will the
> security be comparable to that of Unix.
> pestocat
>

Hi,
well, Vista and BLP has nothing in common. Discretionary access control is
still the heart of Vista, that essentially means "no" to BLP mandatory
control stuff...

-Valery.
http://www.harper.no/valery

"pestocat" <(E-Mail Removed)> wrote in message
news:uG$(E-Mail Removed)...
> Make that the Bell-LaPadula Model, sorry about misspelling.
>
>
>
> "pestocat" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Where will Vista fit in with the Bell-Padilla Security Model. Will the
>> security be comparable to that of Unix.
>> pestocat
>>
>
>

You need to recognize that Bell-LaPadula is a model, not an
implementation. Also, one aspect of how ownership works
in Windows relative to access control is changing with the
Vista era. This last makes the central part of "discretionary"
no longer unavoidable in Windows. The Bell-LaPadula model
could be implemented within the access control semantics of
Windows, if the ability of a subject to pass along access grants
that fail to meet the mandatory controls could be prevented.
As I understand the new features coming in how ownership
can be handled, this will now be preventable.

"pestocat" <(E-Mail Removed)> wrote in message
news:uG$(E-Mail Removed)...
> Make that the Bell-LaPadula Model, sorry about misspelling.
>
>
>
> "pestocat" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Where will Vista fit in with the Bell-Padilla Security Model. Will the
>> security be comparable to that of Unix.
>> pestocat
>>
>
>

>> Where will Vista fit in with the Bell-Padilla Security Model. Will the
>> security be comparable to that of Unix.

Last I heard, Role Based Access Control (RBAC) was the order of the day on
Microsoft OSes.

UNIX variants such as Trusted Solaris, Trusted HP-UX, Trusted IRIX, SELinux
(implemented on Red Hat Enterprise Linux) implement Mandatory Access Control
(MAC). These machines are role specific (i.e. database servers, mail
servers) and usually not for general deployment. AFAIK, Microsoft has no
plans for a MAC-enabled Vista client OS. Standard UNIX variants are
Discretionary Access Control Based (DAC) I believe.

As far as Vista being comparable to UNIX it depends on how well you harden
the client. If Microsoft retires the notoriously bad NetBIOS, that will
help matters.

Edward Ray
CISSP, MCSE+Security, PE, SANS GCIA, SANS GCIH

The main deterent forcing MS OSs to discretionary access control
has been the behavior/rights of owner over objects. Given that, last
I have been briefed, one will be able to control how ownership vests
upon new object creation, the door is open to attempt a deployment
that relies upon the mandatory access control patterns.

"Edward Ray" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>>> Where will Vista fit in with the Bell-Padilla Security Model. Will the
>>> security be comparable to that of Unix.
>
> Last I heard, Role Based Access Control (RBAC) was the order of the day on
> Microsoft OSes.
>
> UNIX variants such as Trusted Solaris, Trusted HP-UX, Trusted IRIX,
> SELinux (implemented on Red Hat Enterprise Linux) implement Mandatory
> Access Control (MAC). These machines are role specific (i.e. database
> servers, mail servers) and usually not for general deployment. AFAIK,
> Microsoft has no plans for a MAC-enabled Vista client OS. Standard UNIX
> variants are Discretionary Access Control Based (DAC) I believe.
>
> As far as Vista being comparable to UNIX it depends on how well you harden
> the client. If Microsoft retires the notoriously bad NetBIOS, that will
> help matters.
>
> Edward Ray
> CISSP, MCSE+Security, PE, SANS GCIA, SANS GCIH
>