Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 2000 Gets Common Criteria Certification

Posted by timothy on from the endorsement dept.

Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."

6 of 462 comments (clear)

  1. Reg: Proof that Win2K is STILL insecure, by design by Jeremiah+Cornelius · · Score: 5, Informative
    From the Reg: http://www.theregister.co.uk/content/55/27874.html

    Read their earlier report as well. CC accredation is a running certification, for a specific configuration.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  2. Re:UnitedLinux should implement this! by alen · · Score: 5, Informative

    There is Redhat Network. It scans your computer and downloads RPM's as needed.

  3. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  4. Common Criteria - Getting It by Mandi+Walls · · Score: 5, Informative
    Okay. So. Common Criteria.

    To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.

    So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.

    There are different guidelines for different products, including firewalls and network management equipment and software.

    You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.

    There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.

    You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.

    The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".

    --mandi
    Now back to your carrying on. Yes, I worked on a product that was to be CC'd.

  5. Here's the real news: by foo+fighter · · Score: 5, Informative

    My god, I've just had it. I submitted this news, but with an unbiased, informative write-up. That took a whole 4 minutes to get rejected.

    For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct0 2/10-29CommonCriteriaPR.asp
    The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct0 2/1029CommonCriteriaFAQ.asp

    This is huge:
    1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.

    2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.

    3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.

    4) There are three very helpful checklists Microsoft released with this announcement:
    I) Common Criteria Evaluated Configuration User's Guide describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
    II) Common Criteria Evaluated Configuration Administrator's Guide tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
    III) Common Criteria Security Configuration Guide tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
    These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.

    5) Windows XP and Windows .Net server should be relatively quick to certify. They are from the same code base as Windows 2000 with mostly cosmetic changes and relatively minor system tweaks.

    The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.

    This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."

    For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.

    I guess I'm done.

    See http://microsoft.com/windows2000/server/evaluation /news/bulletins/cccert.asp for more info.

    --
    obviously no deficiencies vs. no obvious deficiencies
  6. Re:If you want to update by Melantha_Bacchae · · Score: 4, Informative

    ComSon0 wrote:

    > Basically gives MS the right to access data in you
    > computer.

    Close. It gives MS the right to access data and install anything it wants to (like a certain distributed network OS called Millenium).

    If your business is in the health care, banking, or financial fields, you may not be able to install this service pack (or sp1 for XP) due to the EULA being in conflict with the guidelines and laws your business must operate under. If you are not in those fields, you would still be advised to run the EULA past legal to make sure it won't cause problems.

    BTW, 2000 sp 3 and XP (sp1?) will be the minimum requirements for Office 11 due out in 2003. Previous versions either will not be supported, or plain won't run it.

    "All our tomorrows, Great Sun, by the Light, are very forgotten.
    The Light dies. We pray and it sleeps."
    "Oh Peace Oh Light Return" (national song of mourning)
    From "Gojira", November 3, 1954