Slashdot Mirror
Windows 2000 Gets Common Criteria Certification
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Read their earlier report as well. CC accredation is a running certification, for a specific configuration.
"Flyin' in just a sweet place,
Never been known to fail..."
Another article, more in-depth as to the prereqs for certification:
apt-get update
apt-get upgrade
There is Redhat Network. It scans your computer and downloads RPM's as needed.
cron
Why not fork?
oh and if you want win2k to be secure dont allow it to connect to anything outside of your control.
m l
http://www.theregister.co.uk/content/4/27877.ht
Comment removed based on user account deletion
every modern distribution comes with an application that tells you which packages need to be updated and why they need to be updated.
select, download, install - there are really equivalent tools.
in Mandrake it's called "Mandrake Update" - even the naming convention is similar..
The set of features is (I think) the protection profile (PP). Not sure exactly what the PP is here - the press releases were rather vague, but it may be the commercial adaptation of the old military C2 (discretionary access control).
Before passing judgement, we need to know what the evaluated configuration looked like - what other software was included, what networking features were enabled, etc.
I suspect the reason Linux (or OpenBSD or FreeBSD...) have not applied for this is that it costs money. I'm sure MS paid SAIC a nice bundle for this work. A BIG difference between the Common Criteria and the old Orange Book evals. Under the Orange Book (the old C2), the gov't paid, the trade-off being that they took their sweet time doing the eval. Now we have private labs doing the work - more quickly, but there is always the issue of whether the payment biases the results.
FYI, here is what the Common Criteria says about EAL4:
EAL4 - methodically designed, tested and reviewed EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
"dope will get you through times of no money better than money will get you through times of no dope"
To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.
So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.
There are different guidelines for different products, including firewalls and network management equipment and software.
You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.
There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.
You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.
The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".
--mandi
Now back to your carrying on. Yes, I worked on a product that was to be CC'd.
As already posted by others it seems that you haven't been actively using a recent version of Windows. DLL Hell is a thing of the past for two reasons:
.NET has not only completely eliminated DLL Hell, it has one upped the issue by not locking the DLL while in use, so that the DLL's can be dynamically updated w/o reboot.
1) The NT5.x kernal has built in dll version management. From the end-user perspective DLL Hell is a thing of the past. There are still, however, some (very) small headaches for developers.
2)
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
In the UK a contract agreed when under the influence of alcohol or other drugs is not valid.
My god, I've just had it. I submitted this news, but with an unbiased, informative write-up. That took a whole 4 minutes to get rejected.
0 2/10-29CommonCriteriaPR.asp 0 2/1029CommonCriteriaFAQ.asp
.Net server should be relatively quick to certify. They are from the same code base as Windows 2000 with mostly cosmetic changes and relatively minor system tweaks.
n /news/bulletins/cccert.asp for more info.
For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct
The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct
This is huge:
1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.
2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.
3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.
4) There are three very helpful checklists Microsoft released with this announcement:
I) Common Criteria Evaluated Configuration User's Guide describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
II) Common Criteria Evaluated Configuration Administrator's Guide tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
III) Common Criteria Security Configuration Guide tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.
5) Windows XP and Windows
The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.
This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."
For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.
I guess I'm done.
See http://microsoft.com/windows2000/server/evaluatio
obviously no deficiencies vs. no obvious deficiencies
They got a level 4. The agency that did it can't give them a higher rating because they're not gov't. But, there's no way to know if they won't get a higher one after more reviews.
Actually, Microsoft was evaluated against the CAPP. Unless they added stuff in the target, this would exclude Cryptographic Support (FCS), Privacy (FPR), Resource Utilization (FRU), TOE Access (FTE), and Trusted Path (FTP).
You need to read the Win2K target to see what the functional requirements were.
Daniel
One thing that you must consider is that it takes a lot of money to get certified. When I say a lot I'm talking 20 to 30 million a lot. For linux, as an open source OS, who would pay this. I assume that anyone that does would expect some type of benefit, read ownership. Additionally, don't read too much into a CC certification. Remember that windown NT was also certified, as long as it was not plugged into a network.
ComSon0 wrote:
> Basically gives MS the right to access data in you
> computer.
Close. It gives MS the right to access data and install anything it wants to (like a certain distributed network OS called Millenium).
If your business is in the health care, banking, or financial fields, you may not be able to install this service pack (or sp1 for XP) due to the EULA being in conflict with the guidelines and laws your business must operate under. If you are not in those fields, you would still be advised to run the EULA past legal to make sure it won't cause problems.
BTW, 2000 sp 3 and XP (sp1?) will be the minimum requirements for Office 11 due out in 2003. Previous versions either will not be supported, or plain won't run it.
"All our tomorrows, Great Sun, by the Light, are very forgotten.
The Light dies. We pray and it sleeps."
"Oh Peace Oh Light Return" (national song of mourning)
From "Gojira", November 3, 1954