Slashdot Mirror
Windows 2000 Gets Common Criteria Certification
Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."
Read their earlier report as well. CC accredation is a running certification, for a specific configuration.
"Flyin' in just a sweet place,
Never been known to fail..."
This kind of certification is a great thing for people running Win2K.
But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now?
A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS.
It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers aren buying upgraded products fast enough.
"Provided by the management for your protection."
Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated
Which doesn't nearly going into counting all the fun software that finds inconstencies, holes, and breaches in windows, not to mention finding their own. Often, it's the new software or hardware that breaks an OS.
How about a fix to "DLL hell", where windows can obtain online a list of known DLL versions, and can be updated by software manufacturers as to which are compatible. From previously working in a software certification branch, I know that DLL and modular conflicts often cause a lot of the instability between apps or when installing new applicatons.
Ok did the 3 Service Packs statement rub anyone else the wrong way? Or was it just me?
First we critize MS when their securtity fails, now that their security is improving we still critize their efforts. Grow up.
Besides, a more secure Win2K should mean a better Net for everyone. If these boxes can stay locked down and free of trojans, in theory we shoul see a decrease in attack/hack attemps.
Just for the record, there is NO "off the record" record.
Make a record of that.
Too bad it takes 3 service packs...
Yea, because we all know that open source software never needs to be patched. Yep, it's all 100% secure from the start. All open source software is versioned in whole number increments with no point releases for bugs. It's positively magical!
Gag me with an overstuffed penguin doll...
Plus his statement that it has only taken 3 SPs? Who the hell cares how many it has taken? As long as it is getting closer to being secure. People run Windows. People who use Windows are less likely to know-how, or care-to-know-how to install patches for their OS.
Be thankful that MS does SOMETHING to repair SOME holes.
Stop w/the little jabs at the end of every fucking Microsoft related article, I really can't stand it.
Propaganda?
I say bollocks.
Win2k with SP3 got an ISO certification for achieving a certain level of security. This is were the news ends. This is also where the person who presented the article behaves as a Linux/OSS groupie, serving FUD.
The MS OS got a certification, which to some means a lot, to others, nothing. But to actually go as far as calling the whole shebang as propaganda is outrageous
Correct me on this, but I don't remember Linux getting an ISO certification about anything.
The way the whole affair was presented, reeks of OSS selfrighteous geekiness, smallmindedness and fantacism.
You're A Debian user, right?
/. Where the truth
" Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated"
Their test system had two 120Gig HDs full of fansubbed anime and was running at 100 cpu doing divx encodes ?
Well, they said "exactly the same system".
Wait, did they mean my exact system ? How do I sue them for wasting my cpu cycles running benchmarks ?
This post was nearly funny. Blame the cough syrup.
graspee
There is Redhat Network. It scans your computer and downloads RPM's as needed.
As you note, if Linux releases a new patch, bug fix, etc, it is a triumph of the platform! See how they fix the problem? See how they respond?
It is, at best, frustrating. It is also, IMHO, a bit hypocritial. There are tons of rationalizations (timing, the fact that it is closed, the fact there was the bug in the first place), but, at the end of the day, patching is part of any software product.
Ultimately, I think that the "MS patch bad" propoganda lowers the overall credibility if it comes from the same source as "we produce fast patches, and you can even write the patches yourself!" Decide: either patches are bad, or they are good!
(The relative merits of closed vs. open source cna be debated at length--I personnally don't feel that one method is inherently better than the other.)
In the last year or so, it's become fashionable to use the word "propaganda" to describe anything one reads or hears that makes one uncomfortable. The word was already so subjective as to lack value, but it's now hit complete worthlessness.
If there's something untrue or illogical with the Microsoft page, say so. Throwing in an unsupported "propaganda" is just chickenshit. Unless you figured there was a certain amount of negative spin that had to be added to a Microsft succcess story to get it posted, which is a forgivable gaming of the system.
What I'm listening to now on Pandora...
Comment removed based on user account deletion
Please... almost all distributions have a sane way of doing security upgrades.. at least the common ones. I'm not talking about Linux From Scratch here.
I still hate that snide comment about the three service packs though. It's just childish and moronic.
Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)
All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.
For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.
So these certs are of no use except to PR flaks. And trolls.
Too bad it takes 3 Service Packs..."
/. wants to maintain any level of credibility as a technology site (not a blind MS-bashing site) then it shouldn't post comments like this.
Name any OS that hasn't gone through hundreds of patches before it's reached certain levels of security, stability, or predictability. Quite frankly, if
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs...
Too bad Linux isn't cerfitied at all.
The theory of relativity doesn't work right in Arkansas.
To get a common criteria certification, in addition to the thousands of dollars (>$40,000) you have to spend, you have to specify what your system does and then prove that it does it.
So, as I have not seen the specifics of Microsoft's CC case (which I doubt we'll see the full report), a certain company could say "Product X is a workstation operating system that does not allow UserA to see UserB's documents" and then Product X would be certified as having accomplished that.
There are different guidelines for different products, including firewalls and network management equipment and software.
You get a CC cert when your product DOES WHAT YOU CLAIMED IT WOULD DO IN THE APPLICATION.
There is NO third-party security guidelines for the products, as in the SANS guidelines or anything else.
You write up the application, make your security-related feature claims, and pay your fee. The product is given to a lab for testing.
The point of the CC is to get gov't and contractors to look at products based on what jobs and specific requirements those products can fill in their IT solutions. It's not really a security cert in the way "Windows is secure" would make you think. It's "Here's the list of security-related requirements you can fill with this product".
--mandi
Now back to your carrying on. Yes, I worked on a product that was to be CC'd.
My god, I've just had it. I submitted this news, but with an unbiased, informative write-up. That took a whole 4 minutes to get rejected.
0 2/10-29CommonCriteriaPR.asp 0 2/1029CommonCriteriaFAQ.asp
.Net server should be relatively quick to certify. They are from the same code base as Windows 2000 with mostly cosmetic changes and relatively minor system tweaks.
n /news/bulletins/cccert.asp for more info.
For the record, here's Microsoft's remarkably FUD-free press release: http://www.microsoft.com/presspass/press/2002/Oct
The FAQ tells all about the CC and what it really means: http://www.microsoft.com/presspass/press/2002/Oct
This is huge:
1) The CC certification is a globally accepted ISO standard (ISO-IEC 15408) established for evaluating the security features and capabilities of information technology products. 14 countries accept it as the method for evaluating the security claims of IT products and systems.
2) Just "running service pack 3" does not mean you are running a system that is at the same level of security as those evaluated. Microsoft has several documents (enumerated below) that describe how to set up, use, and administer a CC evaluation ready system.
3) Yes, Windows 2000 is on Service Pack 3 with a few post-service pack hot fixes. My Red Hat installation has at least as many fixes applied to it, and it's not even DoD "Orange Book" certified, let alone evaluated to any international standard of security.
4) There are three very helpful checklists Microsoft released with this announcement:
I) Common Criteria Evaluated Configuration User's Guide describes how to use a secured system in a secure way. All organizations should be sharing this information with their users. Anyone running Windows 2000 or later should read and follow this.
II) Common Criteria Evaluated Configuration Administrator's Guide tells administrators how to run their system once it's been securely configured. If all Windows 2000 admins read this and the next document there'd be fewer security incidents out there.
III) Common Criteria Security Configuration Guide tells you what steps need to be taken to properly configure a CC evaluation worthy system. It is very simple, especially with the templates Microsoft provides, but it is more complex than "apply service pack 3 then drink a beer".
These checklists will hopefully alleviate the problem of clueless admins incorrectly configuring and administering Windows 2000 systems.
5) Windows XP and Windows
The baseling is this: no other company has certified such a detailed procedure for assuring the ongoing security of their operating system products. Not linux, not BSD, no one. Windows 2000 is the first.
This isn't just a locked box in a closet with no net connection certification. Several Dell and Compaq systems were evaluated in real world situations. From an interview with Microsoft's Security and Server executives: "...directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria."
For the record: I run Redhat-based LAMP servers and OpenBSD-based border-gateways. I wish they'd get their acts together and get evaluated; it'd be nice to have an honest-to-god standards-based evaluation of their security.
I guess I'm done.
See http://microsoft.com/windows2000/server/evaluatio
obviously no deficiencies vs. no obvious deficiencies
- Audit
- Cryptographic Support
- Communications
- User Data Protection
- Identification and Authentication
- Security Management
- Privacy
- Protection of the TOE Security Functions
- Resource Utilisation
- TOE Access
- Trusted Path/Channels
Is all that's required for the certification. Does the OS have the right features with a configuration policy that sets those features properly.It's sad that it's miles away from the default install, and most sysadmins won't take the effort to implement them.
Also, buffer overflows aren't part of the certification. Although, I would make a strong claim that a buffer overflow in a process running as System violates Protection of the TOE Security Functions
This is a boring sig
Too bad Linux isn't cerfitied at all.
/. editors. If I had wanted mud slinging news I would have checked out the local political race, or any one of the national tabloids. It would also be different if /. put a satirical flavor on every headline then the "Too bad it takes 3 Service Packs..." sort of comment would have been humourous. Instead I find it tiring and all to common.
/.'s readers' roll is to review, evaluate, and comment on the story thereby giving other readers some insite, food for thought, background information, and/or research needed for them to make informed decisions. If the /. editors feel it necessary to throw in such comments then they should keep them off the headlines and post their feelings like the rest of us do.... in the comments.
Thank you for saying this. No, this is not flamebait nor it is an attempt to bash Linux/MS/OS_whatever. I was quite disgusted by the fact that the editor felt it necessary to throw in that cheap quibble on the front page of the story.
No I am not a MS/Linux/OSX/CowboyNeilOS crusader. It would not have mattered which OS the story was referring to. The comment was cheap and unnecessary, and in my mind it degraded the apparent level of professionalism of the
MS Should be given some credit for the efforts of achieving the level of standards necessary to aquire any type of internationally recognized certification. This goes for any other development team/group achieving similar goals.
/.'s roll should be to report the news in a non-bias way while the
damnedIfIknowHowToUseAn'Or,Merlin.