Justifying the Common Criteria Security Evaluation

lewko writes "Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case. Microsoft bashing aside, the process in evaluating a security product is relevant to anyone considering the deployment of technology into their environment." The EROS operating systems he mentions looks interesting - of course, it also looked interesting three years ago.

Re:one basic reason why windows security sucks

[jonnythan]

Windows 2000 does have basic packet filtering. It's MCSE, and I don't think MCSA was a typo. You obviously have no idea what it is. I am forced to run our webserver on Win2k at work, and there's no firewall between it and the outside (not my choice). All ports except 21 and 80 are blocked.

Sour Grapes

[TheCabal]

I find it interesting that little or no attention to the Common Critera have been paid by Slashdot or its readers until Win2k was EAL4 certified. All of a sudden there is a flurry of activity concerning whether the Common Critera is relevant or any good, or whether Microsoft bought their certificate. How come Linux can't get EAL4 certified, hmmm? With all the effort put into bellyaching about Win2k and the CC, I'm certain that at least one flavor of Linux could have been whipped into shape.