Details of Janus Group Security System

The Janus Group has taken extensive measures to ensure maximum security and data integrity of the sensitive or confidential information that resides on our server. Our server is on a Windows 2003 platform and uses Microsoft's web server software. Through the close integration of Internet Information Server and Windows 2003, Janus Group is able to provide the highest level of security for our clients.

Microsoft Windows 2003 Server offers the most robust security model of any server operating system on the market today. It is the only server operating system that provides U.S. Government C2-level security at the desktop and server level. "C2-level" security is a designation in a computer security system developed by the U.S. Department of Defense, the final specifications of which has been in effect for over 10 years.


Standard Security Criteria

Trusted Computer Standards Evaluation Criteria (TCSEC), or the "Orange Book", lays out the requirements for security at various levels according to parameters such as the ability of a system to be audited, to control access, and to authenticate users. The Orange Book applies to stand-alone machines and operating systems. More than 20 subsequent books in this Rainbow Series have interpreted tile criteria for other system components. The Red Book interprets the criteria for network components, the Lavender Book for databases.
Security categories are D (minimal protection) B (mandatory protection), C (discretionary protection-the highest level of security that a non-governmental institution can reach.), and A (verified protection). C2, or controlled access protection, is the lowest that offers viable security. For C2 certification, a system must:

  • Have good documentation at both the user and administration level and have documentation on security testing
  • Authenticate all users as unique individuals
  • Not allow objects to he reused or recovered once deleted
  • Let systems administrators audit all security events and the actions of individual users
  • Protect all objects and processes from all others

The National Computer Security Center (NCSC) developed the criteria for military computer systems, and systems used for many federal government projects must also have C2 certification. But today, the broader computer industry is using the Orange Book criteria.


Windows 2003 Server is a C2-level Secure Operating System.

On the Windows 2003 server, Janus Group's clients are protected by:

  • File level access control. This allows the owner of a resource (such as a tile) to control access to the resource
  • Extensive auditing, allowing Janus Group's system administrators to audit security-related events and the actions of individual users.
  • Protection against object reuse so that data stored in memory for one process is not accessible to other processes. This protection also extends to the disk, monitor, keyboard, mouse, and any other device.
  • User identification and authentication requiring each user to uniquely identify him/herself. The system uses this unique identification to track and audit the activities of the user.
  • The ability to identify and authenticate legitimate users (for example, subscribers) in order to provide them with access to information, content, and services, while denying service to impersonators.
  • Security system with a fine-grained access control that will allow legitimate users access to resources, while protecting sensitive resources from hackers and unauthorized users.
  • Ensure that Janus Group's clients can set up private and tamperproof communications channels over the Internet for commerce and sensitive business-to-business transactions using SSI (secure sockets layer).

Windows 2003-based Internet Server Security

Building on a solid foundation, Janus Group's web server is the fully integrated Microsoft Internet Information Server (IES). IES operates as a service of Windows 2003 Server and inherits the strong security provided by the Windows 2003 platform. It has the depth and breadth of security features required by the most demanding Internet site.
IIS security is fully integrated with Windows 2003 security. This gives it a number of advantages including the ability to:

  • Take full advantage of the strong, secure underpinnings of the US Government C2 and ITSEC FC2-rated Windows 2003 security.
  • Eliminate possibilities for security weaknesses and holes by not adding additional redundant security layers. This sets the Windows 2003 Internet server apart from other operating systems and Web servers that have multiple security layers and thereby increases their complexity and possibility for security holes.
  • Better performance by eliminating unnecessary overheads of additional security and access control layers.

Janus Group utilizes Microsoft's feature of access control by permissions on Internet Information Server services to provide even more security for your information.

Windows 2003 provides a secure file system (NTFS) that allows administrators to restrict access and sex fine-grain permissions (read, write, or execute) on individual files and directories. This gives the administrator a great deal of flexibility and control on who can access which resources. Internet Information Server allows our administrator to set read-only or execute-only permissions on the virtual directories For every request, IIS examines the URL and type of request and ensures that the permissions set on the virtual directory or virtual root are honored This will ensure that users cannot read files with execute-only permission or execute tiles with read-only permissions


Internet Server Fault Tolerance, Backup, and UPS

Janus Group's fault tolerant system duplicates all data to a separate hard disk on our server as the data is being written on the main hard disk. This protects all data on the server from a hard disk failure. If one hard drive fails, Janus Group will be back on-line within minutes with no data loss. Janus Group also uses frequent backups to protect the integrity of the data stored on our system. In the unlikely event of a complete power outage Janus Group's server is protected by a uninterrupted power supply that protects our server from power surges and power outages.


Confidential and Tamperproof Communication

Secure Sockets Layer (SSL)3 is an industry-standard protocol that allows clients and servers to Set LIP I secure communications channel This secure communications channel encrypts and fingerprints the data, ensuring message privacy end integrity. Further, it also allows servers and clients to mutually authenticate each other. Internet Information Server supports industry standard SSL 3 with client authentication and is fully interoperable with products from other vendors. IIS uses very strong and secure 128-bit encryption for the North American version and 40-bit encryption for the international version (to comply with the U.S. Government restriction on Crypto export).


Secure Electronic Commerce

Janus Group is able to provide secure private communication sessions for our clients and site visitors by using VeriSign's Server Digital IDs. Digital certificates such as VeriSign are considered the standard for server authentication Over 16,000 commercial sites are using VeriSign Server Digital IDs to create secure communication channels with customers.

Janus Group uses digital certificates to give its customers the assurance that the personal information they submit in an insurance claim credit card transaction, or a Human Resource form cannot be read by anyone else.
This is possible because exchange on information between the client and the server is performed using SSL. Secure Socket Layer negotiates and employs the essential functions of mutual authentication, and data integrity for secure transactions. When a connection is established between a client and a secure server, the client software automatically verifies the server by checking the validity of the server's Digital ID. The key pair associated with the server's Digital ID is then used to encrypt and verify a session key that is passed between the client and server. This session key is then used to encrypt the session. A different session key is used for each client-server connection, and the session key automatically expires in 24 hours. Even if a session key is intercepted and decrypted (highly unlikely), it cannot be used to eavesdrop on subsequent sessions.

Top of Section