Windows 2000 Gets Common Criteria Certification 533
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Reg: Proof that Win2K is STILL insecure, by design (Score:5, Informative)
Read their earlier report as well. CC accredation is a running certification, for a specific configuration.
Speaking of The Register... (Score:3, Informative)
Re:3 Service packs (Score:1, Informative)
apt-get upgrade
Re:UnitedLinux should implement this! (Score:5, Informative)
Solaris 8 has been for two years now! (Score:3, Informative)
Re:3 Service packs (Score:2, Informative)
Common criteria website (Score:5, Informative)
Re:Reg: Proof that Win2K is STILL insecure, by des (Score:1, Informative)
http://www.theregister.co.uk/content/4/27877.ht
Comment removed (Score:5, Informative)
no problem (Score:2, Informative)
select, download, install - there are really equivalent tools.
in Mandrake it's called "Mandrake Update" - even the naming convention is similar..
EAL4 Not so bad really (Score:3, Informative)
The set of features is (I think) the protection profile (PP). Not sure exactly what the PP is here - the press releases were rather vague, but it may be the commercial adaptation of the old military C2 (discretionary access control).
Before passing judgement, we need to know what the evaluated configuration looked like - what other software was included, what networking features were enabled, etc.
I suspect the reason Linux (or OpenBSD or FreeBSD...) have not applied for this is that it costs money. I'm sure MS paid SAIC a nice bundle for this work. A BIG difference between the Common Criteria and the old Orange Book evals. Under the Orange Book (the old C2), the gov't paid, the trade-off being that they took their sweet time doing the eval. Now we have private labs doing the work - more quickly, but there is always the issue of whether the payment biases the results.
FYI, here is what the Common Criteria [commoncriteria.org] says about EAL4:
EAL4 - methodically designed, tested and reviewed EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
Common Criteria - Getting It (Score:5, Informative)
To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.
So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.
There are different guidelines for different products, including firewalls and network management equipment and software.
You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.
There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.
You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.
The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".
--mandi
Now back to your carrying on. Yes, I worked on a product that was to be CC'd.
Re:Fine until you install something. (Score:3, Informative)
1) The NT5.x kernal has built in dll version management. From the end-user perspective DLL Hell is a thing of the past. There are still, however, some (very) small headaches for developers.
2)
Re:If you want to update (Score:1, Informative)
Here's the real news: (Score:5, Informative)
For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct
The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct
This is huge:
1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.
2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.
3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.
4) There are three very helpful checklists Microsoft released with this announcement:
I) Common Criteria Evaluated Configuration User's Guide [microsoft.com] describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
II) Common Criteria Evaluated Configuration Administrator's Guide [microsoft.com] tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
III) Common Criteria Security Configuration Guide [microsoft.com] tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.
5) Windows XP and Windows
The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.
This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."
For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.
I guess I'm done.
See http://microsoft.com/windows2000/server/evaluatio
Re:common criteria (Score:3, Informative)
Re:Common Criteria - Getting It (Score:1, Informative)
There usually is a report issued for public consumption. The CC reports are much briefer than the old Orange Book ones. While briefer it will still summarize results by feature, and describe how the system is configured. The Orange books reports were masterpieces of technical overkill. The Win NT one was huge, and told you more than you would ever want to know about the internals of how it operates. I've found these Orange Book reports to sometimes be the best technical documentation on some systems.
Re:Reg: Proof that Win2K is STILL insecure, by des (Score:2, Informative)
You need to read the Win2K target to see what the functional requirements were.
Daniel
Re:No wonder(It costs money to get cert) (Score:1, Informative)
Re:If you want to update (Score:4, Informative)
> Basically gives MS the right to access data in you
> computer.
Close. It gives MS the right to access data and install anything it wants to (like a certain distributed network OS called Millenium).
If your business is in the health care, banking, or financial fields, you may not be able to install this service pack (or sp1 for XP) due to the EULA being in conflict with the guidelines and laws your business must operate under. If you are not in those fields, you would still be advised to run the EULA past legal to make sure it won't cause problems.
BTW, 2000 sp 3 and XP (sp1?) will be the minimum requirements for Office 11 due out in 2003. Previous versions either will not be supported, or plain won't run it.
"All our tomorrows, Great Sun, by the Light, are very forgotten.
The Light dies. We pray and it sleeps."
"Oh Peace Oh Light Return" (national song of mourning)
From "Gojira", November 3, 1954