Windows Gets Independent Security Certification

linumax writes "Microsoft Corp. on Wednesday clinched Common Criteria security certification from the U.S. government's National Information Assurance Partnership for six versions of its flagship Windows OS. The products receiving CC certification include Windows XP Professional with Service Pack 2 and Windows XP Embedded with Service Pack 2. Four different versions of Windows Server 2003 also received certification. Common Criteria certification, which was ratified as an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security, Lipner said. SuSE Linux ES 9 has already achieved the certification and almost a year away from being released, Red Hat Enterprise Linux 5 is on the path toward EAL4 certification."

Hehe

It's as secure as 95% of the destops out there. That's a good score!

Re:Hehe

[jo42]

...as long as the network cable is physically disconnected...

Re:Hehe

[mgessner]

Back in the day, DEC VAX/VMS was given a high rating in the Orange book.
It got an even higher one without networking.

In other news...

[deathbyzen]

Pigs have flown and it's getting a little chilly in Hell.

Re:In other news...

[Fred_A]

Ah, pigs flying, that would explain all this shit coming down lately...

Perfect timing

[castoridae]

Now all the US police departments (that have to use EAL-4 systems) can buy upgrades from Win2000 to XP. Perfect timing, with all that DHS money coming down the pipe right now...

Re:Perfect timing

[glitch23]

All FBI field offices already have WinXP desktops from Dell.

The important thing is the profile.

[El+Cubano]

I took a security-related class not too long ago. The prof pointed out that the CC is basically worthless. The important thing is the profile. For example, he said most CC certifications are given out for a profile of a system on a friendly network that is not physically accessible to untrusted users. How useful is that?

He also said something to the effect of: You can claim that your security policy has never been breached, as long as your policy is to not check security.

The problem is that government perpetuates this by requiring people/companies to spend tons of money on this stuff to get "approved" for government use.

Re:The important thing is the profile.

[StikyPad]

To be fair, there is really no such thing as a system that can withstand an attacker who has physical access regardless of what OS you're running. Once an attacker has physical access, all bets are off.

Re:The important thing is the profile.

[MC68000]

How about an encrypted filesystem? How about if there were no ways for this attacker to gain root priveliges from a local login. I really don't understand what you're saying.

Re:The important thing is the profile.

[dsci]

I think part of the essence of having physical access is having unlimited time. This makes things like brute forcing the root password a little easier. Or, steal the hd and go to work on that encryption back at your own lab.

Re:The important thing is the profile.

[masdog]

1) Social Engineering can get around any encryption or local software security. If a person can get to the restricted machine, chances are they also got all the information they need to access the system.

2) Unless the machine has no floppy drives, USB ports, or CD-ROMs, a live CD would allow an attacker with physical access to the machine to boot, image the hard drive to an external device (like an IPOD) and decrypt it later.

There are ways around any security. Sometimes, it is just a little more time consuming.

Re:The important thing is the profile.

[MC68000]

1. OK, sufficient social engineering can bypass any security. But for some things the social engineering required would be enormous. It would be easier to steal the system and discs containing passwords and keys
2. Live CDs can be disabled by setting a BIOS password. Sure, an attacker could convince someone to let him reset the BIOS by disassembling the computer. That would be a masterful feat. And how does the attacker decrypt the harddrive once it is stored on the IPOD?

Re:The important thing is the profile.

[GaryPatterson]

I'd like to think that highly secure installations, such as military units, would have the physical computer behind an impregnable barrier, with only cables protruding. Add to that an encrypted file system and physical barriers to gain access even to the terminals, and you should have a system that ensures better security.

I'd like to think that.

I suspect that the reality is a Dell PC sits beside the desk, and there's a stack of music CDs piled on top of it, some of which are the new Sony rootkit installation disks. The door's unlocked and the assumption is that if you're allowed past the base entry point, then you're meant to be there.

Re:The important thing is the profile.

[Lehk228]

can't brute force the root password if it locks down or only accepts RSA token logins

Re:The important thing is the profile.

[masdog]

On a small scale, you're right. Some of this stuff is out of the reach of most ordinary attackers. Social engineering, especially on the scale that would be required to reach "secure" government, industry, or criminal computers, would be an enormous undertaking for most groups looking to get this information.

However, I think that organizations like the CIA, KGB, Mossad, and other big-time intelligence agencies would go through that kind of effort to socially engineer access to systems.

If you can get physical access to the secure computer, chances are you know about the BIOS passwords and somehow acquired them.

As for decrypting the drive once the image is on the IPOD, I'm not sure how you would do that. It would take a lot of computing power to do it, so I'm guessing that unless you can get it to the NSA, you'll be spending a long time trying to read the drive.

Re:The important thing is the profile.

[general_re]

Social engineering, especially on the scale that would be required to reach "secure" government, industry, or criminal computers, would be an enormous undertaking for most groups looking to get this information.

I think you underestimate (or overlook entirely) the efficacy of low-tech methods of social engineering. If I have possession of your secure computer, and the information on it is valuable enough to me, I'll just fucking beat the password/token/keycard/whatever out of you.

Sadism trumps encryption, which is why physical security is a critical part of any security scheme.

Re:The important thing is the profile.

[Asphixiat]

BIOS passwords are useless, there are Master passwords for most makes and models :)

go here and find yours today:

http://www.biosflash.com/e/bios-passwords.htm :)

Re:The important thing is the profile.

[Urkki]

Social Engineering can get around any encryption or local software security. If a person can get to the restricted machine, chances are they also got all the information they need to access the system.

Also don't forget lead pipe cryptography...

Re:The important thing is the profile.

[Schraegstrichpunkt]

To paraphrase Schneier, it's important to answer the question, "Secure against what? Secure from whom?" I doubt your encrypted filesystem is going to be secure against someone dropping a grenade on the CPU, for example.

Re:The important thing is the profile.

How does an OS that doesn't get booted, sitting on a hard drive that has been removed from the machine only accept anything?

Re:The important thing is the profile.

[OeLeWaPpErKe]

It may be possible two break into any system if you have physical accesss, it is however not possible without rebooting the machine. That means that there ARE security policies that will withstand physical access. E.g. In my security class the idea was launched to encrypt stuff in special ways, and to have a key deletion schedule that will allow you to
1) determine the smallest possible window of time when the system was broken
2) prevent an attacker from inserting messages into the system, even with root access to the system. If he reboots, the key will have been deleted, the system will not be able to read its own data, and will not be able to communicate with the rest of the network
3) if the encrypted data is accessible in any way, it can be made possible to check against forgeries, and still accept the data generated before the breach (the data might have been deleted of course)

Re:The important thing is the profile.

[imdx80]

Locks out after three attempts eh?
Good thing you've got two kneecaps.

Re:The important thing is the profile.

[TrappedByMyself]

It may be possible two break into any system if you have physical accesss, it is however not possible without rebooting the machine. That means that there ARE security policies that will withstand physical access. E.g. In my security class the idea was launched to encrypt stuff in special ways, and to have a key deletion schedule that will allow you to 1) determine the smallest possible window of time when the system was broken 2) prevent an attacker from inserting messages into the system, even with root access to the system. If he reboots, the key will have been deleted, the system will not be able to read its own data, and will not be able to communicate with the rest of the network 3) if the encrypted data is accessible in any way, it can be made possible to check against forgeries, and still accept the data generated before the breach (the data might have been deleted of course)

Fine, then yank the power cord, bust open the case and remove the drive. Pop a USB adapter on it and plug it into another machine. Now you can start working on getting the data without having to boot from the drive or without any other part of the system getting in the way.
Or, just have the person who gave you physical access log in for you.

Re:The important thing is the profile.

[TrueKonrads]

How about you install key-logger and wait for the fireworks? Any kind of physical security that can be trusted upon is hard to obtain. The IBM 4758 PCI Cryptographic Coprocessor is used in environments where it is important to prevent tampering. It has been said many times before, that the only way to have a "secure" environment is to guard all access points with armed marines. This, naturally, is not feasible and physical security will always be an easy point of attack. Thus, the grand-parents post is valid.

Re:The important thing is the profile.

[CortoMaltese]

Having participated in the Common Criteria evaluation of a product, I'll have to comment on this.

Once an attacker has physical access, all bets are off.

This is not entirely true. It really depends on the type of system we are talking about. Smart cards exist for the specific purpose of being tamper resistant devices, i.e. can withstand physical attacks to a certain extent. Usually the Common Criteria evaluation of a smart card operating system covers many aspects related to physical attacks.

As per the grandparent's claim that the Common Criteria is worthless: It depends on the Protection Profile (PP) and the Target of Evaluation (TOE). Usually, the higher the EAL (Evaluation Assurance Level), the smaller the target of evaluation. It is very costly and laborous to achieve high EALs for broad targets of evaluation.

In the case of a general purpose operating system, it would be interesting to get hold of the PP and the TOE, and to see what is actually evaluated. In any case, there will be a specification of the environment in which the evaluation holds, and surely for any general purpose OS the physical access must be restricted.

Re:The important thing is the profile.

[EdHockery]

Do you mean: don't drink and derive 1/3(Em)C^3 ?

Re:The important thing is the profile.

[swillden]

Fine, then yank the power cord, bust open the case and remove the drive. Pop a USB adapter on it and plug it into another machine. Now you can start working on getting the data without having to boot from the drive or without any other part of the system getting in the way.

This is where a TCPA TPM becomes useful. You can encrypt the data with a key stored in the TPM and bound to a particular boot profile. If you attach the drive to a different machine, or boot the machine off of another device, or with a different kernel+set of drivers, etc., then you have no key to decrypt the data. For even more security, the key stored by the TPM shouldn't be the actual decryption key, it should be generated by combining the TPM key with a passphrase and then encrypting that with another external key in a smart card.

Nothing is impregnable given physical access, but this combination is about as close as you can get with commodity hardware.

Re:The important thing is the profile.

[CubicleView]

When someone has physical access to the machine, they can do a number of things to get around passwords etc. They could place a key logger between the keyboard and the computer for example. Or if the monitor was a CRT it would also be broadcasting everything that it displays. Anyone with the right equipment could watch everything the user was doing like a tv program (a fairly fuzzy one at least)

Re:The important thing is the profile.

[halltk1983]

Dude... Thank you. I've been trying to brute force a laptop on and off for about 3 years now that I bought used...

Re:The important thing is the profile.

[egarland]

there is really no such thing as a system that can withstand an attacker who has physical access regardless of what OS you're running.

This is false on it's face. People have physical access to ATM machines all the time. Many of them run Windows now. There are tons of ways to secure machines from physical attack and make the game far from over. Granted it's not Windows thats doing it but it *is* Windows that is being secured.

Re:The important thing is the profile.

[Fujisawa+Sensei]

This is false on it's face. People have physical access to ATM machines all the time. Many of them run Windows now. There are tons of ways to secure machines from physical attack and make the game far from over. Granted it's not Windows thats doing it but it *is* Windows that is being secured.

Sorry but you don't have physical access to computer inside the ATM machine. It's locked in a steel box, designed to prevent access and aleart authorties when you try to gain access.

Re:The important thing is the profile.

[ajs]

"How about an encrypted filesystem?"

That defends against access AFTER the machine has been turned off, but with physical access to a machine while it's up, that does you no good. You can simply attach a debugger to a process that has legitimate access to the encrypted information, and dump the information returned from read(2) (assuming POSIX semantics).

"How about if there were no ways for this attacker to gain root priveliges from a local login"

Given physical access, that's almost impossible to arrange. For example, you could boot from external media; boot the standard system inside of a virtual machine and corrupt security attributes for running processes (elevate someone's shell to root, for example); trigger a "suspend to disk" and edit the on-disk core image before resuming; etc.

If you have money to spend, then building devices which take over control of the bus or snapshot RAM are also doable, though quite expensive, and quickly outdated. Such efforts are only worth it if you have a specific target of high value in mind.

Re:The important thing is the profile.

[egarland]

Sorry but you don't have physical access to computer inside the ATM machine. It's locked in a steel box, designed to prevent access and aleart authorties when you try to gain access.

Exactly

Re:The important thing is the profile.

[Lando]

Your right about almost everything, except the dell pc, it's actually a dell laptop...

Re:The important thing is the profile.

[Lando]

Actually it generally depends on the people around it for that protection or the building it is inside. Several ATM machines "disappear" every year...

Now when/if they start putting low-jack systems into the atm machines it'll be a bit harder than just picking up the machines and leaving...

I assume this certification . . .

. . . requires the absence of a CD-ROM drive to be valid.

~~~

Of course...

[Chris+Bradshaw]

For those who don't have the foggiest... More info on Common Criteria Certification can be found Here

Amazing...

[musawilliams]

You pay someone off to give you a cert, then, in the same breath, announce another security vulnerability .

Re:Amazing...

[KrispyKringle]

If I remember right, there is a certification fee. Of course, that makes sense, since certifying an OS costs the certifier. But you're not saying that; you're implying that MS payed a bribe to get certified.

Care to back that up with references? Or is this just typical Slashdot trolling?

Re:Amazing...

[pintomp3]

i believe it's typical slashdot karma-whoring.

Re:Amazing...

[toadlife]

Looks like the little whore succeeded.

Re:Amazing...

[Just+Some+Guy]

Care to back that up with references? Or is this just typical Slashdot trolling?

He did back it up with references. Their software collection that just got officially declared "Spiffy, +3" is demonstrably not secure, as per the link he provided (and many others just like it).

Since the OS obviously does not meet the generally accepted standards for "secure", but it was certified as such anyway, there are two possibilities:

1. The certification is meaningless and should be widely recognized as such, or
2. The certification was bought.

I'm not sure which is worse from a PR stance.

Re:Amazing...

[KrispyKringle]

Two things. First, what you said is, I'm afraid, logically wrong; second, his references did not back up what he said.

First things first. The third possibility, and the one that I believe is most accurate is that the certification is meaningful and valid even with said vulnerability. One of the criteria required is not to be vulnerability free; if you read the common criteria specification you will not find, anywhere, that common criteria certified OSes are not allowed to have vulnerabilities (otherwise SuSE and RHEL wouldn't get certified, either). So while Windows does have a vulnerability (or many), it may still conform to the requirements of the common criteria certification without that certification being meaningful (as explained elsewhere, CC certifies a range of security features and implementations).

Second, what he said was that MS bought the certification through bribery. And even if we were to accept your reasoning above (which is specious), that wouldn't be a fair conclusion; it could be far more likely that CC certification is meaningless than to think that MS bribed an independent certifier.

Sure, yes, it's Microsoft, and we all know they're evil. But meaningless, unsubstantiated charges of bribery are just that: meaningless and unsubstantiated.

Re:Amazing...

[Just+Some+Guy]

The third possibility, and the one that I believe is most accurate is that the certification is meaningful and valid even with said vulnerability. One of the criteria required is not to be vulnerability free; if you read the common criteria specification you will not find, anywhere, that common criteria certified OSes are not allowed to have vulnerabilities

BS. Common Criteria claims to be a standard for computer security. Full stop. Regardless of how watered down they managed to make the full explanation, you and I both know that the certification's intent is to imply that tested products are secure. The fact that the fine print says, "well, not really secure, per se, but at least vulnerable in well-documented ways, plus maybe a few extra later" doesn't mean they should be allowed to parade this around to fool PHBs with a checklist.

Second, what he said was that MS bought the certification through bribery. And even if we were to accept your reasoning above (which is specious), that wouldn't be a fair conclusion; it could be far more likely that CC certification is meaningless than to think that MS bribed an independent certifier.

I agree: the most likely explanation is that CC is as worthless as we've all known it to be for years. Because if it's not, then somebody got rewarded for looking the other way as that swiss cheese of a COTS system got certified.

I hereby announce this..

[mnmn]

I am officially releasing my certification of "The Highest Level Of Security", and giving it to my pet OS, ELKS!

Therefore, ELKS is the most secure OS in the world.

The press meeting will be at 24:01 December 31st.

Re:I hereby announce this..

Um, did you patch for Y2K? Just wondering....

From TFA

[TubeSteak]

During the certification review, Lipner said the various versions of Windows XP and Windows Server 2003 were evaluated in more than 20 real-world scenarios or "workloads" in a testing lab. It includes rigorous and exhaustive testing at the source-code level to determine certifications, he explained.

Critics of Common Criteria certification say the ratings are not a true reflection of the secure nature of a product in general purpose situations because it does not take every general-purpose situation into account.

No certification process is going to take every situation into account. Windows would never get certified if that was the case. Neither would anything else with a TCP stack.

I'm just mentioning this to help cut off some of the anti-MS crap that's going to get modded up as insightful.

Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.

Re:From TFA

[NutscrapeSucks]

Not to mention that Windows does have certain security features that are simply not present in standard Unix.

For example, an administrator can be denied access to a file. The admin can change the ACLs by taking ownership, but doing this generates a log event. Deleting the logs generates another log event. AFAIK, it's impossible to restrict the unix superuser in this way.

Probably not important in most environments, but for government-type security it can be.

Re:From TFA

[Comatose51]

"Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way."

I can attest to that as well. Windows is fairly secure except MSFT made IE such an integral part of Windows. You end up with a situation where Windows is secure but the most accessible and vulnerable part of it can get you right past all those defense. It's akin to putting a screen door on a vault.

Re:From TFA

[Drooling+Iguana]

Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.

Yes, it's come a long way from previous versions of Windows.

Doesn't mean it's any good now, especially when compared to what else is available.

Re:From TFA

[plsuh]

For example, an administrator can be denied access to a file. The admin can change the ACLs by taking ownership, but doing this generates a log event. Deleting the logs generates another log event. AFAIK, it's impossible to restrict the unix superuser in this way.

You're comparing an administrator user (which is a preset level of privilege on Windows) with the root user on a Un*x system, which is apples to oranges. The root user on Un*x is more properly compared to the LocalSystem account on Windows. The key difference is that the LocalSystem account never has a password so you can never log in as LocalSystem. However, many Un*x systems (e.g. Mac OS X) also have root accounts that don't have a password (and thus you cannot log in as root) or at least disallow remote root logins, giving them similar levels of account protection.

In fact, the restrictions on the default administrator account on Windows are weaker than those given to administrator accounts on Mac OS X -- a Windows admin can write to \Windows\System32 without elevated privileges, which pretty much means game over if the attacker can get the admin to execute a script (e.g. through a browser flaw) that puts DLL's into the directory. In contrast, a a Mac OS X admin needs to authenticate and temporarily gain elevated privileges to write to the equivalent location, /System/Library. Even if an attacker fools a Mac OS X admin into running a script, there is still the need to authenticate which gives the admin a chance to halt the attack.

--Paul

Re:From TFA

[killjoe]

Look up SELinux before you post on this subject. Your ignorance is showing.

Re:From TFA

[drsmithy]

The root user on Un*x is more properly compared to the LocalSystem account on Windows.

There is no real comparison, because the security models are fundamentally different.

In unix, if you're root, you can do anything. "Security" checks basically start with an "if (UID != 0)".

In Windows, all accounts are subject to ACLs. Some accounts have more generous ACLs than others, but there is no equivalent to the "can do anything"-ness of a unix root account.

In fact, the restrictions on the default administrator account on Windows are weaker than those given to administrator accounts on Mac OS X -- a Windows admin can write to \Windows\System32 without elevated privileges, which pretty much means game over if the attacker can get the admin to execute a script (e.g. through a browser flaw) that puts DLL's into the directory. In contrast, a a Mac OS X admin needs to authenticate and temporarily gain elevated privileges to write to the equivalent location, /System/Library.

This comparison is flawed. An "Administrator" account in OS X is a completely different thing to an "Administrator" account in Windows - not only in concept, but also in execution. An OS X admin account is more properly compared to a "Power User" in Windows - but even then the two are still very different due to the different security models. An OS X "admin" account is simply one that can sudo to root - thus giving it complete control over the entire machine, with no further permissions checks performed at all. Since Windows has no equivalent of root, it has no equivalent to an OS X "Administrator" user. A "Power User" is similar in purpose (limited administrative abilities, but can't destroy the machine wantonly), but very different in execution.

Re:From TFA

[drsmithy]

I can attest to that as well. Windows is fairly secure except MSFT made IE such an integral part of Windows. You end up with a situation where Windows is secure but the most accessible and vulnerable part of it can get you right past all those defense. It's akin to putting a screen door on a vault.

Bollocks. IE is normal user space code just like Firefox or Word. It can't do anything more than any other code running under that user account can.

The "integration" of IE - in and of itself - doesn't make Windows any less secure, any more than the equivalent functionality in KDE, GNOME or OS X does. The real problem is that IE is full of holes and most people run it as admin, not that IE is "integrated into the OS".

Re:From TFA

[asuffield]

From my (admittedly limited) understanding of this part of the Windows security model, anybody with "Administrators" access or better can install device drivers into the kernel. This is a piece of software that runs in kernel space, with no security restrictions at all. The 'restrictions' you are talking about apply only to non-driver software. So there's your "can do anything"-ness.

Re:From TFA

[micheas]

The root user on Un*x is more properly compared to the LocalSystem account on Windows.

There is no real comparison, because the security models are fundamentally different.

True, but the selinux and the window security models are remarkably similar on paper.

The big problem with windows security is that it has been left as an exercise for the reader, and if you document your secure windows system, you might be able to turn it is for your PhD dissertation. (I am exaggerating, but not by much.)

Selinux is slowly migrating into the linux world, much like PAM did in the nineties. It is still very much a work in progress, but in time uid==0 will be about as useful as the contents of /etc/passwd in most linux systems. We can only hope that Microsoft will start to follow.

Re:From TFA

[Alioth]

I know you said Unix, but as far as Unix workalikes are concerned, SElinux (which is turned on by default on RedHat products) can do all this and more.

Re:From TFA

[toadlife]

He said "Standard UNIX". SELinux configurations are hardly "standard" and Linux is not UNIX.

Re:From TFA

[toadlife]

So what else is available that is better?

Re:From TFA

[sqlrob]

It was default in the install of FC4 I just did, so it's getting closer to standard.

Re:From TFA

In unix, if you're root, you can do anything. "Security" checks basically start with an "if (UID != 0)".

Not with ACLs and profiles.

In Solaris 8 and above you can actually shutdown the root account quite tightly. You can prevent it from (say) reading the shadow file.

Root in Solaris is simply another account, which by default has system wide access.

I'm pretty sure similar things can be done in FreeBSD with the TrustedBSD code and also with SELinux.

Re:From TFA

[cortana]

So tell us, who do you know still running AT&T System V?

Re:From TFA

[Daytona955i]

However, many Un*x systems (e.g. Mac OS X) also have root accounts that don't have a password (and thus you cannot log in as root)

Not exactly, the root account is disabled. If it had no password you could log in with no password but by putting an '*' in the beginning of a password field in the passwd file, you disable that user account. This is the way that OS X ships. Once you remove the *, you can log in as the root user.

Re:From TFA

[RacerZero]

If it had no password you could log in with no password but by putting an '*' in the beginning of a password field in the passwd file, you disable that user account. There is a bit more to it that that. There is also no password authority for the Root user. That is no authority (Kerberos, crypt, shadow, etc) to check a password. Just using the '*' in the password field doesn't completely disable the a user accounts ability to login.

Re:From TFA

[courtarro]

I'm guessing the poster is referring to the behavior of Windows to run IE-like processes in far more situations than just clicking the big blue E. It's true that if you're running as a non-power-user on a properly configured machine, IE should be able to cause no more problems than the user entering a command prompt and manually attempting to destroy things.

The problem with IE's low-level integration is that little versions of the IE rendering engine appear all over the place: in the help system, in MSN/Windows Messenger, in Outlook Express, and even in regular Windows Explorer windows if you enter certain URLs in the address bar, etc. Some of these might be things you'd run even as the perfect Administrator, logging in only to do low-level maintenance. This means that IE-based exploits can potentially be run without ever clicking the blue E. There might be holes in the help system where opening a malicious help file uses an IE exploit to kill your system. Maybe a bug appears in the thumbnail view of Explorer where simply viewing the thumbnail of an evil .htm file on the network could kill your system. I'm not saying any of these glitches appear at the moment, but when you have the huge buggy IE codebase being called in so many places in the OS, you leave bigger holes for exploits to gain further privileges. That, in turn, impacts the security of the OS in general.

Re:From TFA

[Just+Some+Guy]

AFAIK, it's impossible to restrict the unix superuser in this way.

If you consider FreeBSD to be Unix, then consider chflags and securelevel. Together, they can prevent even root from having more than read-only access to a file. Same goes for OpenBSD, and I think NetBSD as well.

Re:From TFA

[darkmeridian]

Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.

Agreed. But Internet Explorer in still unremoveable from Windows.

Re:From TFA

[killjoe]

Once again your ignorance is stunning. SElinux comes "standard" with suse and fedora and is available to all debian based and gentoo users via the standard software update mechanism.

As for linux not being unix that's just a nitpick. Nicely done though, that's a very professional wordsmithing, something worthy of a PR firm or a paid astro turfer.

Re:From TFA

Bollocks. IE is normal user space code just like Firefox or Word. It can't do anything more than any other code running under that user account can.

There is no such thing a normal user space under windows. Ask any Sony Music CD owners. Security was an after thought on NT based systems. All Microsoft ever cared about was Lan/Share level security, not system level security once the user is logged on. Want proof, delete iexplorer from your system. Windows won't boot. Why is that if its not an itegeral part of the OS? I can delete mozilla, galeon, etc from my Linux box and it works just fine.

The "integration" of IE - in and of itself - doesn't make Windows any less secure, any more than the equivalent functionality in KDE, GNOME or OS X

Your wrong. No matter what the browser hole is under Linux/OSX, when run as a normal user none have the ability to manipulate the kernel. Thats not true under Windows/IE/ActiveX. Go look up the group policy fixes in the latest IE patch release from Microsoft. Its easy for a program to gain Admin rights under Windows.

Re:From TFA

[burnin1965]

"Windows does have certain security features that are simply not present in standard Unix"
"it's impossible to restrict the unix superuser in this way"

Perhaps, but if what you want are security features similar to the ACLs in Windows or even something that surpasses them, there are alternatives to Windows although I suppose you could argue they are not "standard Unix".

linux is obviously a rather unix like OS and in this case you should probably look into selinux. With selinux you can use kernel level Mandatory Access Control to limit the superuser. In fact you can take selinux to the extreme and compile the entire security policy into the kernel and completely lock out any user from any resource including files, devices, sockets, etc.

If you are correct that a Windows admin can change the ACL of a file they have no permissions to simply by taking ownership of the file then Windows ACLs are not as effective as selinux policies which can be tailored to absolutely restrict access. If the policy says the admin/superuser is not allowed to access a file then they are not allowed, end of story. It sounds like all that is needed to bypass the security policies for a Windows box is to find a zero day exploit that will escalate privleges to admin. Once the intruder has admin level access the ACLs are worthless.

I came across an selinux article with a challenge several months back, the author had a linux system connected to the internet and provided anyone with a root shell. The selinux policies on the box locked down the root user to very limited permissions and the challenge was to bypass these permissions. I can't find the article now but perhaps another slashdot reader will recall the article.

burnin

Re:From TFA

Linux, OS X and practically any other modern OS. Windows has its advantages, but security isn't one of them by any perverse stretch of the imagination.

You quite clearly have a vested interest in pushing Windows as a secure platform. You are nearly as bad as the person you mock in your sig.

Re:From TFA

[NutscrapeSucks]

I run FC4 and don't see any of the features mentioned in my post. Seems like you are showing your own ignorance here.

Re:From TFA

[NutscrapeSucks]

For something like a salary spreadsheet, only limiting the superuser to read access would rather miss the point.

Re:From TFA

[toadlife]

"If you are correct that a Windows admin can change the ACL of a file they have no permissions to simply by taking ownership of the file then Windows ACLs are not as effective as selinux policies which can be tailored to absolutely restrict access."

All the built in administrator group in Windows is, is a group with lots of rights assigned to it by default. The ability to take ownership of files is a right granted by default to the administrators group in Windows, and it can be taken away. If you take away the right to take ownership of objects from administrators, then files that they don't have the 'take ownership' right to, they couldn't touch.

In your SELinux example, what was the point of having a root account that can't do anything? Who exactly has the right to change those rights? There has to be SOMEBODY at the top with all of the keys. Is is a single user mode thing, where you have to start up in single user mode to set policies?

Re:From TFA

[drsmithy]

There is no such thing a normal user space under windows.

Wrong.

Ask any Sony Music CD owners.

How many of them weren't running as admin ?

Security was an after thought on NT based systems. All Microsoft ever cared about was Lan/Share level security, not system level security once the user is logged on.

Wrong.

Want proof, delete iexplorer from your system. Windows won't boot. Why is that if its not an itegeral part of the OS? I can delete mozilla, galeon, etc from my Linux box and it works just fine.

Not only wrong, but stupid.

Your wrong.

Nope.

No matter what the browser hole is under Linux/OSX, when run as a normal user none have the ability to manipulate the kernel.

Just like Windows.

Thats not true under Windows/IE/ActiveX.

Wrong.

Go look up the group policy fixes in the latest IE patch release from Microsoft.

Which ones, in particular, are you thinking of ?

Its easy for a program to gain Admin rights under Windows.

Even if you weren't wrong again, there is a *vast gulf of difference* betweem "no normal user space" and local privilege escalation.

Re:From TFA

[killjoe]

Really? You didn't get that option during the install? There is not an option in your administration menu? Cos there is in mine.

Re:From TFA

[burnin1965]

"The ability to take ownership of files is a right granted by default to the administrators group in Windows, and it can be taken away"

And once its taken away the adminstrator user cannot grant the privlege back to itself? Or would this require reinstalling the OS?

"what was the point of having a root account that can't do anything"

Its not a root account that can't do anything, its a root account that can only do what the selinux policies allow it to do. The whole point was that with selinux you have absolute control over security policies and not even root can supersede those policies unless that is the intent of the policies. By creating a system with such restrictive policies you can minimize potential damage if a system is hacked, i.e. if a system is hacked and the intruder manages to achieve a root shell you may have selinux policies that prevent root from installing a root kit by denying write access to system files or you can stop a worm from spreading if the selinux policies deny root, or whatever uid is used to enter the system, from opening tcp/ip sockets and connecting to other machines. The security scenarios are endless.

"There has to be SOMEBODY at the top with all of the keys"

Sure, in the most strict application of selinux you write your policies and compile them directly into the kernel. So whoever is writing the policies prior to compilation of the kernel is the somebody holding the keys. Once the kernel build is complete then thats it, the policy is set and there are no keys to disable the security policy. So with selinux you have the ability to lock a box down so tight that the only way to modify or bypass the security measures would be to have physical access to the box so you can replace the kernel on the media from which the system boots.

burnin

Re:From TFA

[toadlife]

"And once its taken away the adminstrator user cannot grant the privlege back to itself? Or would this require reinstalling the OS?"

Interesting. I've never though about windows security settings that insane, but...

The security policies in Windows are stored in a file called "secedit.sdb" in %windows%\security\database folder. Theoretically, you could make a backup copy of the secedit.sdb file, and then deny everybody, including the system, the right to modify the file. Then you would have to change the owner of the secedit file to a user other than the administrator...and then *delete* that user from the system. After that, the security policies would be pretty much set in stone. The only way to change policies on the machine would be to start the machine in the recovery console and restore the backup secedit.sdb file. This of course would require physical access to the machine.

I don't think the makers of Windows NT had this in mind when designing the security model, but that doesn't mean it couldn't work. ;)

Re:From TFA

[NutscrapeSucks]

go back and read the thread.

Re:From TFA

[Just+Some+Guy]

Considering that the administrator has nearly infinite means to access that data anyway (including hardware access and reading the raw disk device), I'm not entirely sure what the point of the limitation would be.

How much did they have to remove?

IE, networking, Messenger, Windows Media Player, ...?

Tiger?

[jmcmunn]

As a Windows user considering the switch to the Intel Mac's coming soon, I'm curious if Tiger (OS 10.4.4 or whatever) has gotten this certification? I know the argument is that you're more secure no matter what since no one writes spyware etc for the Mac, but is it certified? I'm honestly curious, so I know what I'm in for.

Re:Tiger?

You're asking all the wrong questions.

Re:Tiger?

[jmcmunn]

You mean I should be asking if this certification actually means anything? Yeah, well I assume it can be taken with a grain of salt, but here on Slashdot whenever Windows security gets compared to Suse and Red Hat it can't be all bad...

Re:Tiger?

I use a windows machine at home and work, and am primarily a network administrator and product trainer (for end users, staff and VARs) for my company. We designed and built the worlds first integrated file level and BareMetal multiplatform Disk-to-Disk backup solution, and have been selling that product in record numbers to primarily Windows firms for more than 3 years.

Because we are, at some level, a security company, and contantly work in Windows, Linux, and other environments (25+ supported OS platforms) I thouhgt it would be simply rediculous to migrate to a mac environment.

After reading ALL of Winn's articles, over the last several months, I became convinced it was possible for basically everyone other than our programming team and IT department to switch to macs. In fact, 2 of our support engineers have Powerbooks on their desks next to their PCs now.

The results are astounding. These 2 people are closing more cases, handling more simultaneous tasks, and having far less downtime than any of our other users. Their ability to support our customers (who are mostly IT departments, not dumb users) is not impacted at all.

After applying Winn's spreadsheet to our needs (which are extensive) and including some other calculations for needs including system imaging, software migration (of our own binaries), we put the cost of giving our users Mac notebooks over PC notebooks to be more than a $800 per year savings!

More over, once I started chatting it up with the developers, we determined it would take only a few weeks to port our software over to a Mac OS X server instead of a Linux box, and we could then eliminate nearly $100,000 per year in i386 hardware testing and design. We could sell X Servers with our software pre-installed, for a savings of about 20% per unit, and at the same time cut our support calls nearly in half regarding client system failure.

Simple enough to say, even with our complex, multiplatform environment, Apple offers us ever feature we could want or need. Even the programmers can switch over (something I though was not possible) Only some of our marketing and sales people would not be able to switch.

One more thing to note: Once switching to Mac, we could drop having from 2 T1 connections back to a single T1 since a lot of our bandwidth would no longer be used by tuesday patches, virus updates, spyware updates, and spam. We'd also solve a lot of our IT headaches revolving around how to provide user security with servers at only one of our 2 sites.

Starting from now, if the plan were approved (it has yet to be discussed with upper management) I estimate we could save approxamately $64,000 per year on hard costs, and more than $100,000 per year in man hours and labor to cover our 80 users. initial costs for the switch would be paid off in less than 18 months.

Based on Winn's numbers this would save us almost double what I have quoted, but we would still require some of the "unnessessary" security apps for Mac systems, and since most of our users are mobile, we have other headaches as well, not to mention some proprietary software to port internally.

I've used Mac systems since the Lisa, and have owned 13 in my time. I currently do not own one due to "cost of ownership" This will be changing VERY soon!

Re:Tiger?

Yes, hence it probably doesn't matter if Tiger gets this certification.

Anyhow, if a sufficient number of people switch to Mac, it too will get crapware. The price of popularity is being an easy target. The price of being unique is incompatibility.

Re:Tiger?

[mrbooze]

"One more thing to note: Once switching to Mac, we could drop having from 2 T1 connections back to a single T1 since a lot of our bandwidth would no longer be used by tuesday patches, virus updates, spyware updates, and spam."

How did switching to macs reduce the *spam* you had incoming?

Re:Tiger?

[T-Ranger]

Who said it was incomming spam?

Re:Tiger?

[Twid]

Yes.

Re:Tiger?

[cmacb]

"How did switching to macs reduce the *spam* you had incoming?"

Maybe he meant outgoing spam as his machines had already been taken over and were slaves to a spammer somewhere.

Re:Tiger?

[mdwstmusik]

Yea, Macs are great, if you can actually get one. The company that I work for just replaced our whole infrastructure, and I was responsible for developing the recommendation for new hardware. I REALLY wanted to replace our Windows desktops with an operating system that requires less babysitting but was afraid of causing panic with too much change at once. So, I ended up recommending Linux for our servers, Macs for 3 of our desktops (we're not a large organization), and new Windows boxes for the rest. Got the Windows machines in less than a week, the Linux servers, in less than a month, my PowerMac order has been "shipping within the next 2 weeks" since September! Thank goodness I didn't order Macs for all of our desktops. I'd be looking for a new job by now.

rofl

[robpoe]

Windows secure? Shyeah .. when pigs come flying out of my butt.

Or was this test completed with the network wire UNPLUGGED ??!?!?!

IIRC that's how Windows NT4 got it's whatever certification...

Re:rofl

[beetlefeet]

It's monkeys.

Re:rofl

[Achromatic1978]

HAHAHA! Let's mock Windows for the fact that there was a thing like this ... what was it... /ten/ years ago! Oh wow! Decade-old "humour".

Actually, if I recall, the 'no network connectivity to untrusted network' or somesuch was actually a criteria of the security certification, be it for Trusted Solaris or NT4, not some dismal failing of NT.

But what am I saying, this is Slapdash... err... Slashdot.

trusted != secure

[evenprime]

Pay attention to what the linked wikipedia story says:
Higher EAL levels do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively validated.

This just means that it does what they claim. I'd be more interested in seeing what the security claims were....

Re:trusted != secure

[castoridae]

Yes, these certification levels are more about documenting & following your own engineering processes (and taking into account good engineering practice & common sense as well). In my experience, they haven't really been about functional audits, per se.

Boy...

[Beatbyte]

They're giving these things out to ANYBODY.

Does this actually mean anything?

Does this certification actually mean anything, or is this just yet another Microsoft maneuver to be able to a government/corporate entity "See, we meet specification XXX that you demand software that you use have."

Microsoft did this with POSIX support for Windows NT; NT's Posix is next-to-useless (they don't have fork(), for example) but Microsoft got it so that they could tell the relevant people "See, NT is posix-aware."

Another example: Internet Explorer for Solaris. Probably one of the most horrible browsers out there; Microsoft only did it so companies that said "We standardize on one browser for all users" could standardize on IE. Microsoft had no real intention of supporting Solaris.

In fact, I will go so far to say that Microsoft's proposed "open document format" doesn't exist because Microsoft has any intention of opening up their format, but so that Microsoft can meet Massachusetts' requirement to have an "open" format. This is why Massachusetts should continue to tell Microsoft that they will not use Office Vista until it supports the Open Document standard.

So this doesn't sound like a typical anti-Microsoft post, I will say that Microsoft products are far easier to learn than the Linux equivalents, and that Microsoft made some beautiful fonts the blow away anything for Linux.

Re:Does this actually mean anything?

No, this doesn't mean anything. Windows 2000 received EAL-4. Of course, to meet that level, it couldn't be connected to a hostile network or have more than one user. Not exactly useful in the real world.

Re:Does this actually mean anything?

[HishamMuhammad]

So this doesn't sound like a typical anti-Microsoft post, I will say that Microsoft products are far easier to learn than the Linux equivalents, and that Microsoft made some beautiful fonts the blow away anything for Linux.

Microsoft didn't make the fonts, they licensed them from Monotype. And IMHO they don't blow away Bitstream Vera.

Nice try though, appreciated. So this doesn't sound like a typical anti-Microsoft post, I will say that... uhm... they make nice joysticks! :)

Re:Does this actually mean anything?

[Lando]

It really means nothing. I really don't care about Microsoft passing this or not. It's a political game where pork contracts are handed out for meeting criteria that don't exist except to provide access to one company or another... This isn't a Microsoft thing it's a government thing. With MS you can chose not to use their products, with the government you also can chose not to but then you go to prison or disappear with the "special" police since your are now a terrorist.....

Grin,

Seriously thought, the only thing it takes to meet this level of requirement is the money to perform the testing...

As for those still razing MS, they need to do this in order to make money, which really is what they are supposed to be doing.

What does EAL4 mean?

[danFL-NERaves]

Copied verbatim from the Common Criteria v2.1 specification. I can't make heads nor tails of it:

Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed

Objectives

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line.

EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Assurance components

EAL4 (see Table 6.5) provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.

The analysis is supported by independent testing of the TOE security functions, evidence of developer testing based on the functional specification and high-level design, selective independent confirmation of the developer test results, strength of function analysis, evidence of a developer search for vulnerabilities, and an independent vulnerability analysis demonstrating resistance to penetration attackers with a low attack potential.

EAL4 also provides assurance through the use of development environment controls and additional TOE configuration management including automation, and evidence of secure delivery procedures.

This EAL represents a meaningful increase in assurance from EAL3 by requiring more design description, a subset of the implementation, and improved mechanisms and/or procedures that provide confidence that the TOE will not be tampered with during development or delivery.

Assurance class
        Assurance components
Class ACM: Configuration management
        ACM_AUT.1 Partial CM automation
        ACM_CAP.4 Generation support and acceptance procedures
        ACM_SCP.2 Problem tracking CM coverage
Class ADO: Delivery and operation
        ADO_DEL.2 Detection of modification
        ADO_IGS.1 Installation, generation, and start-up procedures
Class ADV: Development
        ADV_FSP.2 Fully defined external interfaces
        ADV_HLD.2 Security enforcing high-level design
        ADV_IMP.1 Subset of the implementation of the TSF
        ADV_LLD.1 Descriptive low-level design
        ADV_RCR.1 Informal correspondence demonstration
        ADV_SPM.1 Informal TOE security policy model
Class AGD: Guidance documents
        AGD_ADM.1 Administrator guidance
        AGD_USR.1 User guidance
Class ALC: Life cycle support
        ALC_DVS.1 Identification of security measures
        ALC_LCD.1 Developer defined life-cycle model
        ALC_TAT.1 Well-defined development tools
Class ATE: Tests
        ATE_COV.2 Analysis of coverage
        ATE_DPT.1 Testing: high-level design
        ATE_FUN.1 Functional testing
        ATE_IND.2 Independent testing - sample
Class AVA: Vulnerability assessment
        AVA_MSU.2 Validation of analysis
        AVA_SOF.1 Strength of TOE security function evaluation
        AVA_VLA.2 Independent vulnerability analysis

Re:What does EAL4 mean?

...demonstrating resistance to penetration attackers with a low attack potential.

Does this mean that it can defeat an attack that is most likely not going to succeed?

Wow. Just wow.

Re:What does EAL4 mean?

[subgrappler]

it probaly sounds really cool to non-technical executives.

Re:What does EAL4 mean?

[Neo-Rio-101]

Man, that just list looks just like assembler op-codes for some kind of bizarre processor.

Re:What does EAL4 mean?

[Iowa_Hawkeye_Fan]

The EAL level by itself doesn't mean much. The important things are which (if any) protection profile are they claiming conformance with, and what does their security target say are the Security Functional Requirements.

BTW Green Hills Software is having their secure RTOS evaluated at EAL6+ level.

Soon to hit news stands

[Kamiza+Ikioi]

"This just in: Businesses and Government IT Professionals quickly abandon Common Criteria security certification as a security standard of any useful purpose."

From Wikipedia on a previous certification: "The fact that Microsoft Windows 2000 remains an ISO 15408 certified product, without including the application of any Microsoft security vulnerability patches in its evaluated configuration, shows both the limitation and strength of an evaluated configuration."

I believe that it also shows the limitation and inherent weakness of this criteria as a "security" certification or a confidence booster for consumers. Unless, of course, anyone here reasonably believes that any completely unpatched version of Windows is secure by any stretch of the imagination. I read about a machine like that once that never needed patching... it was unplugged from the net, stripped of all peripherals, dipped in molten lead, and buried inside 10m^3 of concrete and dropped into the middle of the ocean, thus becoming the most secure PC ever. I think it ran FreeBSD, too.

Re:Soon to hit news stands

[NutscrapeSucks]

In my understanding, these certifications are based on operating system features such as permissions and logging, and have nothing to do with implementation faults (buffer overflows, etc.) IT professionals aren't going to abandon them because, except for certain government applicaitons, everyone ignored them anyway.

Re:Soon to hit news stands

[GotenXiao]

There is no secure Windows box. There are only partially secure Windows boxes.

And, a default Windows install can be connected to the net with no firewall, NAT or proxy, or any AV software for like 8 seconds before becoming infected with Skynet and its kin.

Re:Soon to hit news stands

[cp.tar]

a default Windows install can be connected to the net with no firewall, NAT or proxy, or any AV software for like 8 seconds before becoming infected with Skynet and its kin.

... as I found out the other day when trying to install WinXP SP1 to my new AMD64 machine.

In addition to the installation crashing excessively due to my SATA drive and my lack of floppy drives, when I finally installed it, I connected to the Internet for about 5 minutes to download a firewall.
Big mistake.

Now I have to re-install the whole bloody thing again... all that just for Guild Wars... *sigh*

Re:Soon to hit news stands

[GotenXiao]

Your best bet for getting a Windows box setup from scratch is to get a friend to burn you a CD with AVG, a decent firewall and Firefox et all so you can continue the setup on the net.

Also, ignore completely MS' advice of removing your floppy drive if you have SATA. Because to install Windows wtih SATA, you need drivers. Which have to be on drive A. Go figure.

In addition, get a router (if possible); the hardware firewall will surpass any software firewall, mainly because most software firewalls live outside of the TCP stack and thus can be penetrated before the system knows it.

Take long?

[StikyPad]

Well, it only took 4 years to finally certify XP. Although I guess that's not bad when you consider that in another 4 years they'll have Vista to start evaluating.

Useless standard...

[HermanAB]

Well, just the fact that Windows got the certification is enough proof that the certification isn't really worth anything...

More like "internationalish"

[drn8]

The Common Criteria (CC) is an international standard (ISO 15408) for computer security. Its purpose is to allow users to specify their security requirements, to allow developers to specify the security attributes of their products, and to allow evaluators to determine if products actually meet their claims.

The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have established a program under the National Information Assurance Partnership (NIAP) to evaluate IT product conformance to international standards. The program, officially known as the NIAP Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS) is a partnership between the public and private sectors. This program is being implemented to help consumers select commercial off-the-shelf information technology (IT) products that meet their security requirements and to help manufacturers of those products gain acceptance in the global marketplace.... NIAP is in the Information Technology Laboratory at the National Institute of Standards and Technology. NIST is an agency of the U.S. Commerce Department's Technology Administration. NSA is an agency of the U.S. Department of Defense.

So it's really an International standard regulated by [a] U.S. agenc[y][ies].

Not secure enough

[David+Gould]

They should have used OpenBSD.

Re:Not secure enough

[Professor_UNIX]

They should have used OpenBSD.

Actually if you want to get serious about it they should use a "Trusted" OS like Trusted Solaris or similar OS that uses mandatory access controls. OpenBSD does not have support for that in the base configuration the last time I checked, although it is probably sufficient for general purpose computing.

Re:Not secure enough

[TheRaven64]

You can achieve something close to MAC in OpenBSD. If you disable root login, and use systrace for everything that needs elevated privileges (privilege escalation on a per-syscall basis). You can also run at securelevel 1 or 2, so no one can modify files marked as immutable.

If you really want MAC though, TrustedBSD was merged back with FreeBSD in the 5.x branch, and is there in the latest releases. I seem to recall that Solaris 10 and Trusted Solaris now use the same codebase too, so that's another option as you said.

CCS = Entry Level certification; CCS profiles need

[dananderson]

The Common Criterial Security (CCS) Certification is good, but not great. It's equivalent to Entry-level certification. Yes, it's the highest Entry-level certification, but other Operating Systems, such as Linux, Solaris, and other UNIX flavors have long had it.

What's important is CCS Profiles, which allow one to tune the OS to the security level you need ("one size does not fit all"). AFAIK, MS Windows does not have profiles.

That's said, it's great that Microsoft is starting to get serious about security.

You're doin' a heck of a job, Balmie!

Medals of Freedom all 'round!

Microsoft POSIX is a sham

[dananderson]

The mention of Microsoft POSIX brought back nightmares. When I head MS NT was POSIX compliant, I tried it out. What a joke--it's a complete sham. For example, if you set the time, the call works, but doesn't do anything! The time is the same. Other calls are similar. It's nice that valid POSIX system calls don't fail, but it would be better if an implementation actually does something!

The only reason they did this POSIX sham, I understand, is because of US Government requirements for POSIX. Nobody could use it though.

Re:Microsoft POSIX is a sham

[ThinkFr33ly]

The POSIX subsytem in Windows is now called Interix. Some people disagree with your conclusion that the subsytem is a sham.

Maybe you just made the method call incorrectly.

Re:Microsoft POSIX is a sham

That's not the Windows NT Posix subsystem.

That's Microsoft Services for Unix, which tries to replace the Windows NT POSIX subsystem in providing a POSIX compatible environment.

Smiley faces for everyone !!

[Chaffar]

According to Wikipedia:

Its purpose is to allow users to specify their security requirements, to allow developers to specify the security attributes of their products, and to allow evaluators to determine if products actually meet their claims.

So, who sets the security requirements? Does this certification have any value, or is it the equivalent of "smiley faces for everyone"?

[National Information Assurance Partnership] So, what are your security requirements?
[Bribed Official] I need to be able to install ro0tkits without the user's approval...
[National Information Assurance Partnership] Excellent... EAL 4+ for all!

typical response

[Sathias]

Windows? Secure? Something about pigs and air travel or something... *trails off unintelligably*

...

Can I have mod points now?

Mac OS X 10.3.6 is Common Criteria certified

[DrZiplok]

See http://niap.nist.gov/cc-scheme/st/ST_VID4012.html

Close enough

They should have used OpenBSD.

They used OpenBSOD.

Re:In other news Want past "Warp EAL4" security?

Windows Server 2003 SP #1 + hotfixes is awesome as is!

Hell, it runs more software & hardware out there than any other OS hands-down & no questions asked, from laptops & desktops to server farms & entire corporations datasystems/lifeblood via info. mgt. + doubles as an excellent arcade rig too boot, lol!

(Especially in its limited services turned-on by default workstation "lite" install is stable & 99.999% uptime rated & a long-time descendant of C2 secure NT-based OS' before it - if you need server components? You just 'add water' (yes, it's THAT easy via wizards)).

The "SCW" (security configuration wizard) makes it even moreso, easily.

Why's Microsoft ontop? SIMPLE:

Super-Flexible, well documented API's + IDE development toolkits in TONS of RAD languages (my fav types for GUI &/or Console mode app development right up to enterprise class infosystems), & now excellent prebuilt add-on's toolkits for most any task imagineable, many freeware no less (not just freeware apps, which Win32 has the MOST of) but development tools - where from all apps of all kinds spring forth - the minds of developers on many levels for any imagineable purpose possible on these machines.

Anyhow, back-on-track to the MAIN subject here:

Want to GET TO WHERE THEY WERE TALKING ABOUT IN THE ARTICLE (i.e.-> WAY impenetrable?)?

Read here, it'll get you there, 110% guaranteed (as far as you want to take it from its notes if you follow & implement them):

http://www.avatar.demon.nl/APK.html

For a non-server, personal use computer setup on a highspeed cablemodem or DSL connection to the internet from the home? Bar-none, it WILL get you to what the interviewee responded with & what it would take to get to the levels they spoke about.

* :)

I know - I use it, wrote it, & it works (& MUCH of what it does, such as services cutoffs? Windows SCW (mentioned above) now does)... Well, try it yourself, find out.

Especially on the version called "Windows Server 2003" with SP #1 + hotfixes (all & recent) applied.

APK

P.S.=> Want to go past "Warp EAL4" (as I call it, lol, I'm PAST that) level secureness online?

Again: Check & apply what that URL has in it, never get virus/spyware/malware OR mainly, hacked again, via OS weakness, especially online with a constant connection running... such as DSL or cablemodem.

Consider it a freebie, that works! apk

Linux Lowest Rated

EAL level is the key, these are now 4+. Unix has been that high, older versions of Windows, but still no Linux at EAL4+.

there is no way there can be no way...

[YesIAmAScript]

Once you have access to the machine, you can always break into it. Yeah, an encrypted file system will slow people down a lot.

But if the machine can boot itself and access that disk, then the machine itself contains all the information needed to decrypt the data on the disk. And thus someone can break into it by definition. It may be difficult, but it's certainly possible.

This is why Kerberos key granters are locked away.

Re:there is no way there can be no way...

No? What if it prompts you for more information e.g. decryption key that is not
on the disc BEFORE it boots?

Re:there is no way there can be no way...

Then it's useless for anything important, such as being a server. Mighty damn inconvenient to have to drive 100 miles to the secure facility, get scanned in, just so you can sit there and apply a patch just in case windows would need to reboot. Doubly so if windows is set to automatically install patches and it rebooted for you at 3AM on a weekday.

Re:there is no way there can be no way...

[Schraegstrichpunkt]

One of the first things I'd do is to see if there is an unencrypted swap partition/file on the drive. It's amazing what kind of interesting stuff is stored in swap. :)

Re:there is no way there can be no way...

But if the machine can boot itself and access that disk, then the machine itself contains all the information needed to decrypt the data on the disk. And thus someone can break into it by definition. It may be difficult, but it's certainly possible.

Depends. If it is started remotely by sending password encrypted over TCP/IP through a BIOS-network, it's a bit harder.

But physical access is not what we're talking about here, but being connected to a hostile network, such as internet. Or, having potentially hostile users at the keyboard (while the machine is in a vault), etc.

then you need to not turn it off...

[YesIAmAScript]

You're right about that, but then again, if the machine is already operating when you get to it, it already has that key punched in, and it has stored it somewhere in it (or else it wouldn't be operating at the moment).

To be honest, I had thought of the same thing you did, and I tried to fix my text to cover that case. But I didn't get the edits right. Whoops. It's always most difficult to proofread your own text. I see it as saying what I meant to say instead of what it actually says.

Windows is safe, secure, and unbreakable*

[rice_burners_suck]

Windows has always been the most secure operating system on the planet. In fact, there is no other secure software in the world. Only Windows has 100% completely unbreakable security, guaranteeing that your data is completely safe at all times, even if you plug it directly into the Internet with no firewall or any other security software or hardware at all. Yes, Windows is the most secure piece of software in the world.

*Disclaimer: This post requires flexible definitions of safe, secure, security, and unbreakable.

Re:CCS = Entry Level certification; CCS profiles n

[[ByteMe]]

You appear to be a knob. You can't spell Criteria, you don't know what CC certification actually means, and you speak of "CCS Profiles" as though that's something useful...when in fact, Protection Profiles are what's useful and both *NIX and Windows can in fact comply with Protection Profiles that have been evaluated and approved (usually the evaluation of PPs is done with some support from NSA or one of the other entities interested in CC evaluation).

After further consideration: Yes! You, sir, are a knob. Please feel free to follow up if you actually have useful content to add...but I'm guessing you're just hoping for karma by posting non-useful comments like this. I'm not saying the world of Common Criteria is a particularly pretty one, but folks who don't know what things mean don't benefit anyone by posting their opinions about it.

Oh, and...I strongly prefer Solaris, Linux, and OpenBSD for important things (says he, from Windows box on network with all of the above), but I hate to see posts like this get bonus points for clueless bashing.

Audit

[jawahar]

Has anyone done windows source code audit?

Re:Audit

[quarkscat]

One may presume that the PRC (People's Republic of China) performed a real source code security audit on MS Windows back when their government was granted access three plus years ago.

One might also conclude that the PRC government's move toward their very own linux distribution, Red Dragon Linux, is a result of that MS source code security audit.

While that does predate Microsoft's release of Windows XP Pro SP2, there seem to be enough other vulnerabilities in MS OSes that the PRC has not, at least publically, halted adoption of Red Dragon Linux. Any OS that can be CCS EAL-4 certified for security based upon the premise that the computer reside on a "friendly" network is IMHO worthless. However, this certification would seem to provide all the justification necessary for the US DHS (Department of Homeland Security) to sign with MS on a multi-year $6 Billion USD contract.

IMHO, it provides yet another reason (besides the current state of the USA's border, seaport, and air cargo security) to consider the DHS oxymoronic.

What EAL4 means...

[[ByteMe]]

This is the short-form explanation. If you somehow decide to care about this more seriously, aside from seeking professional help I would recommend that you consult the Book of Armaments...er...the *real* CC site: http://csrc.nist.gov/cc/

Each of the areas that Common Criteria cares about has an extensive set of "things in this area about which we care" that is the source of the ADO_IGS.1 (&c) items above. For a software item such as an OS, think of those as "claims".

For any area, the EAL just shows the level to which a "claim" has been examined and therefore can be proven. EAL 1 is basically "I read your marketing puff piece, and it sounds really good!". At a different extreme, EAL 5 is pretty close to "I did everything I could to review your code and attack your system, and I still couldn't get in". Unsurprisingly, most software falls somewhere in between. Surprisingly (or not), some software (particularly OSs) might go at EAL 3 or 4 but will still have holes. Why, one might ask? (!)

Unfortunately, it's because CC actually expects (but does not assume) that software authors did their jobs thoroughly--including not injecting unintentional bugs. Any bug that does not match the stated intent of a chunk of code, and which doesn't get caught on a code review (which might or might not happen during CC eval, but if it does should only repeat processes in place at the software vendor) would look to most of us like a HOLY CRAP VULNERABILITY -- but the CC process doesn't directly account for it in evaluating and certifying software. Is that a flaw? Yes. At the same time, if one wants to go out and procure an OS that supports an essential set of features related to user authentication, CC is more likely to provide an OS that implements that set. It doesn't mean that a CC-evaluated OS is the most secure, but it has a specific set of functions that can be shown to work.

I know that probably sounds like a steaming pile to some folks...but for one set of evaluation criteria, the above means that CC evaluation is good and nothing else quite takes the place. In an ideal world, CC evaluation would be only one data point in a decision to procure a product, along with other measures of effectiveness that can more truly show fitness of particular software for a particular purpose.

Re:CCS = Entry Level certification; CCS profiles n

Yes, we all know that mispelling a word really has alot to do with your point or his.

You're more of a knob than he is.

Re:Windows Source Code Audit

Yes, it's part of the CC scheme at high Evaluated Assurance Levels (EALs) like this one achieved.

EAL means nothing without PP (they've got one!)

[McMuffin+Man]

For those of you who haven't done Common Criteria, a few clarifications:

EAL stands for "Evaluation Assurance Level". Your EAL level describes the degree to which you demonstrated your claims. It says almost nothing about what those claims are. It's an exaggeration to say you could get EAL 4 on a brick by claiming that it would stay put when you dropped it, but not a big one.

The claims are contained in your Security Target (ST), which is a series of claims about the Target of Evaluation (ToE). Your ST doesn't necessarily have to include many claims relevant to good security, and your ToE can exclude many subsystems and capabilities of the system being certified. To use a pre-CC example, Windows NT got an Orange Book certification by specifying that the certified system could not be connected to a network.

If you want to adhere to a standard that tries to verify that your ToE includes capabilities that make your device useful and that your ST makes claims which really mean something about the security properties of device, you demonstrate compliance with a published Protection Profile (PP). In the US, there are a series of PP's published . These PP's describe relevant capabilities and security properties for systems used in various roles (for example, a traffic filter firewall for low risk environments).

Without a PP, the only way to know what that EAL 4+ actually means is to closely read the ToE and the ST to figure out just how thin they sliced the salami.

Having said all that, a tiny bit of research confirms that Microsoft actually certified these systems against the Controlled Access PP. This is a basic robustness standard (by comparison, Red Hat Linux 5 is also certified against the Labeled Security PP and the Role Based Access Control PP, which assert more robust security capabilities), but it's quite a bit more than nothing, and quite a bit more than many companies do to get their "we do Common Criteria" marketing claim.

Color me impressed.

Re:EAL means nothing without PP (they've got one!)

Without a PP, the only way to know what that EAL 4+ actually means is to closely read the ToE and the ST to figure out just how thin they sliced the salami.

I sure am glad that someone around here has a PP!

Additional info

[daboochmeister]

Just some info I didn't see reflected in the various posts:

• Many U.S. gov't agencies are now requiring that key security-related products participate in the CC eval process; it's definitely a trend
• When a product is evaluated, the submitter can choose to NOT have it listed on the Common Criteria site; you have to work directly with a vendor to know the status for sure
• The process isn't cheap -- requires a significant effort to make your way through to the end; that has an impact on what products get evaluated, you need to find a sponsor willing to foot the bill (labor wise, no $$ cost to get evaluated iirc)
• One of the complaints is that you have to re-eval all subsequent releases, even minor dot releases; becomes labor intensive
• Though it's not listed (don't know why), XP64 is also certified

Re:Office Vista Document

[wwahammy]

What do you mean by Microsoft's open document format not existing? They already are releasing the draft schemas on MSDN.

Why should MA require them to use Open Document? It's not like XML transformations are all that tough as long as we've got the schemas which we should in this case. If Microsoft's public schema isn't complete, MA won't use Microsoft Office because it doesn't comply with the law.

The state seems to be interested in making sure they have perpetual access to the schema. As long as Office writes to that schema than they're happy.

Now I won't claim to know the technical pros and cons of each but ignoring that I'm not sure why MA should or would require Open Document standard support.

Dir Sirs

[SQLz]

Dear Sir, I million dollars has been deposited in your account. Kthnx

Infinite recursion?

[lasindi]

an administrator can be denied access to a file. The admin can change the ACLs by taking ownership, but doing this generates a log event. Deleting the logs generates another log event.

And what happens if the admin deletes the log of the logs? Is there also a log of the logs of the logs? Does this continue until the hard drive is full?

Re:Infinite recursion?

[toadlife]

When you clear the security log in windows, the log is cleared and then an entry is put in that says you cleared the log. You can clear the log a million times over and there will allwats be one entry at the beggining saying that "you cleared the log".

You can't delete the logs....okay, well you [i]can[/i] (I think), by stopping...err, KILLING....the event log service, but another policy can be put into place that causes the system to shut down immidiately if the system is unable to log security events. You could change the policy, but then that would generate a log entry too, and you would have to kill the event log service and then delete log to get rid of that which would clear all of the other events too.....

In situations where security is paramount, a third party in your organization will be auditing the security logs and if you cleared them to cover something up, a large chunk of time would be missing from the logs. This would raise reg flags.

Re:Infinite recursion?

[lasindi]

In situations where security is paramount, a third party in your organization will be auditing the security logs and if you cleared them to cover something up, a large chunk of time would be missing from the logs.

Why would it have to be a large chunk of time? Couldn't it be a fraction of a second if you write a script to do it? My point is that if someone has "root" (I know this is Windows we're talking about) access to a machine, if they're clever enough, they can basically cover anything up.

Re:Infinite recursion?

You can't delete specific entries, only the entire log up to when you cleared it.

Re:Infinite recursion?

[arkanes]

Or you could use your Administrator privledges to insert a file system driver hook (no log event) that refuses to write certain log entries.

Or use a kernel-level debugger to halt the log service (this happens outside the services framework and won't generate events) and edit the log there, or even redirect it's file handles elsewhere, or any number of things. There are other even more obscure things you can do, but they get progressively more difficult and awkward.

The Windows security model is powerful (much more so than it gets credit for on Slashdot), but it's not impenetrable. No general purpose OS is or can be

Re:Infinite recursion?

You don't have to be that tricky. You can simply edit the security policy to disable all security logging, and then delete the logs.

The only way to have a highly level of assurance in your logs, on any OS, is to have them stored on another, trusted server.

Re:CCS = Entry Level certification; CCS profiles n

[[ByteMe]]

Congrats. First sentence. You mis-spelled mis-spelling. And then you fell prey to the (unfortunately) common misconception that "alot" is one word. I'm sorry, but since your native tongue appears to be gibberish I'm not sure how to have a discussion with you.

And no, I'm not a grammar fascist and I might in fact be a knob...but your polemic above doesn't do you much credit. Did you actually read my previous post? Just curious.

Was this done...

[beat.bolli]

...with an installed TCP/IP stack? :-)

Re:Was this done...

[jbrandv]

Yes the TCP/IP stack was installed.... but the network was unplugged. ;-)

Re:In other news Want past "Warp EAL4" security?

huh?

Okay.

[toadlife]

What OS do you need to run to be secure?

Re:Okay.

[GotenXiao]

Linux is usually more secure. Some distros are worse than others, and some are downright bulletproof.

The "common criteria" are very weak

[Animats]

NSA originally had the Orange Book security standards, which ranged from class C1 (Discretionary access protection, i.e. standard UNIX), up to class A1 (formally verified mandatory protection). These were serious security standards, issued in 1985. Compliance was tough, and testing was by NSA. But A few systems passed testing. Trusted Xenix made it to level B2. The WANG SCOMP, a special-purpose secure machine, made it to level A1 in 1984. That was the high water mark of operating system security.

Vendors hated this process. First, the vendors didn't control the test process - the National Security Agency's Central Security Service did. NSA's policy back then was that you got two tries to pass validation. On the first try, the vendor was told of problems found, and given a chance to fix them. The second try was strictly pass/fail, and might include tests that the vendor had never seen. So it was quite possible, and common, for products to flunk and be cut out of procurements.

The Common Criteria process, on the other, hand, is conducted by third party labs paid by the vendor. So they're very "responsive" to the vendor.

The "Common Criteria" are comparable to the class C Orange Book standards. They're very weak. There was heavy lobbying by the computer industry to water down the Orange Book standards, and that lobbying was successful.

The evaluation report for Windows XP is online. It's worth reading, even though it's long.

Re:The "common criteria" are very weak

SCOMP was built by Honeywell - not WANG

Re:The "common criteria" are very weak

[Animats]

Wang Federal Systems Division took over the SCOMP product line from Honeywell. Then Wang Federal System was sold off as Wang Federal, Inc. (Was this part of the Wang bankrupcty in 1992?) Eventually, what was left was acquired by Getronics, which seems to have eliminated what was left of Wang.

Common Criteria

[LeFrame]

Do check out this link: "Understanding the Windows EAL4 Evaluation" It is about the testing of Windows 2000 sp3, but it is still a very valid description of the problem with CAPP/EAL4. Rounded up: "The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel. Translating that into colloquial English: Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast. - An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky."

Re:CCS = Entry Level certification; CCS profiles n

YHBT YHL HAND

You took the bait, thus proving my point. You have no real point, so you can only try to win the argument (that you cannot win on the merits of the actual discussion) by criticizing other people's grammar and spelling online.

You will mess up eventually. At that point, you'll be a hypocrite.

LocalSystem can be restricted too

[toadlife]

LocalSystem is granted everything by default, but restrictions can be put on it, and LocalSystem can't ignore restrictions put on it like root can in Unix. There really is no comparison to *nix root account in Windows.

Re:CCS = Entry Level certification; CCS profiles n

[Jugalator]

That's said, it's great that Microsoft is starting to get serious about security.

Well, 2000 has been EAL4 certified as well for quite some time now, so when we're speaking of those certifications, I think it's only that they take some time to get, not that Microsoft has just recently started considering them.

[OT] sig

If your offended by typos or spelling mistakes on the Internet, please get laid ASAP.

If you can't fucking spell (or distinguish "your" from "you're"), please go back to middle school ASAP.

And I get laid on a fairly regular basis, thank you. Chicks dig a guy who knows where the apostrophe goes.

Re:[OT] sig

[SQLz]

works every time!

The fundamentals of a CC evaluation

Since no-one else seems to be commenting on the fundamental features of security evaluations, I suppose I had better do so.

When you think of Govenment-approved IT Security evaluations, you tend to think of TCSEC - the Orange Book. Though fundamentally flawed (don't get me started!) that document set the scene for such work. It defined the vocabulary to be used for this activity, and famously made a distinction between the security features an operating system had, and the level of assurance you might have that they work.

The Orange Book joined these two features together while Common Criteria sets them apart. Worse, Common Criteria lets the submitter define the security features he will claim. The 'assurance level' means the stringency of testing (and associated paperwork) and nothing more.

When I worked in this field I used to refer to this as the 'Green Box' problem - the point being that you could claim a very low level of security functionality, and have that pointless claim evaluated to a very high assurance level. So, with tongue firmly in cheek, you could make a security claim that 'my product comes in a green box', have that claim evaluated to a high assurance level, and then go boasting that you have a 'level 6'.

This is what contributors mean when they say you should 'look at the profile'. They mean you should look at the Security Claims made in the evaluation, not at the rigour with which this claim was tested.

One possible way out of this problem is to pre-define sensible claim sets - I have done this for the UK Government in my time, but these claim sets have never achieved standard status. So the public never ask for them, and so corporations keep fooling us with pointless 'advertising' assertions like this.

Re:CCS = Entry Level certification; CCS profiles n

[GBH]

I'm sorry but this is just clap trap and as one of the other posters has mentioned you clearly know little about what you're talking about.

CC is a framework for testing products against an understood standard set of criteria to evaluate it's doing it's job. There are 7 levels of certification (EAL1-EAL7) which require different levels of thoroughness. EAL4, for example, is likely to be the first time you'd look at the source code of the product.

Broadly, it's a combination of checking procedural measures are in place and that good coding standards have been followed during it's development along with, at the later levels (4 upwards), checking that the product actually does what it says it does and cannot easily be subverted into doing something else.

Windows has done this for all it's server OS' going back to NT4 and laterly has been doing it for XP too. The ONLY reason they do this is because it's almost impossible to sell into government without it. Governments don't care so much about the OS but they DO care about the security of the products and will often choose an inferiour product thats certified over a better product that isn't. Policy often mandates that you use product with certain levels of evaluation. EAL4 is generally regarded the entry point where CC matters, before that it's just a paper pushing exercise and has little value to the security of a system or the product(by little I don't mean none!)

If you look at the sponsors for putting Redhat and Suse through evaluation (IBM, HP and Oracle mainly) it is almost always done because they want to use those products in a govenmental solution and has nothing to do with some alturistic desire to make sure the products are secure.

The Protection Profiles you allude to are augmentations to the main CC standards. They are in place to provide a recognised baseline and, if you like, framework for testing very specific capabilities in a unified and recognised way. For example, you might have a protection profile for message labeling which sets out what a good, secure message labeling system should do, should support and should be capable of doing. This is done so that you then know that all message labeling systems meeting that PP are up to a set minimum standard of capability and security. This doesn't mean that a lot of other stuff isn't covered by the main CC evaluations it just means that they test very specific things that are relevant to that specific component.

It's amazing what people mod up when they don't understand what they're talking about.

worthless

[penguin-collective]

CC, like other such certifications, is a checklist of features: it requires systems to have lots of security features. Satisfying such a checklist doesn't tell you anything about whether a system is actually secure, it supposedly tells you about whether you can or cannot implement complex security procedures. But it doesn't even tell you that because there is no guarantee that the features work and interact as intended, and, on the other hand, systems not formally satisfying the requirements may still support your security procedures.

Companies like Microsoft love standards like CC because they don't have to provide actual security, they just have to add lots of features to their operating system, and Microsoft is great at adding features.

If you want to achieve real security, your best bet is to remove as much unnecessary functionality from a system as possible, and that includes a lot of the junk that CC requires.

Primer

[Tom]

For those not in-the-know on CC:

EAL4+ is a fairly high level, and not easy to reach. This was serious work and money invested for M$.

However, do keep in mind that CC is much more about assurance than about security. In fact, most (and in many cases the most difficult to meet) requirements are in the development and documentation areas.

What EAL4+ does mean is that windos isn't a quickly hacked together bundle of hogwash (even though it looks like that at times), but was systematically developed, using version control software and systematic testing as well as being extensively documented.
Usually, this goes together with a higher software quality, and high software quality usually means higher security.

Re:Primer

EAL 4 does not mean that Windows "was systematically developed, using version control software and systematic testing as well as being extensively documented."

All it means is that Microsoft was able to produce evidence that
"windos isn't a quickly hacked together bundle of hogwash (even though it looks like that at times)"

There are two ways to produce the evidence required: Do it right and show the evidence, or Just Do It, then produce the evidence after the fact.

I agree though, either way is serious $ for MicroSoft. As for work, will you can hire folks to create your evidence. Check out http://www.tresys.com/services/services2.shtml for just one offering.

Not necessarily true

LIDS allows the LIDS account to lock out root or any other account from doing anything on the system you wish to be restricted. You would allow the LIDS account just enough leeway to reconfigure LIDS to allow root to fix things, but that account may be only available on the console login and may not be able to run anything apart from sh and LIDS.

Ow...Ow...Ow...Ow

[HangingChad]

an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security,

Ouch! Oh, great. Now I have...Ouch!...monkies flying out of my butt. Ouch!

Profile + ST

[brennz]

First of all, I question security professor's judgement call that the CC is worthless. The main value behind the CC is for people to build secure systems to a set, standardized lists of requirements, and reading over unbiased evaluations gauging the fufillment of those requirements.

It is only people that fail to understand the set purpose of the CC that claim it has no value.

EAL4 is just the common level to evaluate products at, because it is internationally recognized.

The Information Assurance Technical Framework
http://www.iatf.net/

Obligatory Wikipedia link on CC
http://en.wikipedia.org/wiki/Common_Criteria

Re:CCS = Entry Level certification; CCS profiles n

[weicco]

RedHat and SuSE got certification last year. I wouldn't count that very long time. You might want to check this: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#o peratingsystem

Windows is 100% secure, but not 100% safe.

[master_p]

Windows protocols can not be breached in any way, therefore making Windows 100% secure systems. But the Windows O/S is not 100% safe, due to bugs in critical libraries and wrong default settings. A properly patched and configured Windows system is as safe as any Unix box, but the complex security model of Windows makes it far easier to be breached.

Re:Windows is 100% secure, but not 100% safe.

huh?

"windows protocols cannot be breached" ??
"windows is 100% secure" ?

that's not the reality of the situation. everything else is academic when you consider that most windows deployments expend a lot of effort combating viruses/spyware/trojan horses that no other systems have to deal with (at all)...regardless of the results (which are typically not stellar). i have worked on DoD projects that use Windows. by the time the network security people kludge your system into being restricted enough to be trusted, some app that you require is hosed because the environment is not the same one that the apps were expecting. had you been able to use something remotely resembling the default setup, you wouldn't have to worry about what's gonna break when they get done with it.

the reasons for it don't matter as much as the results. and these problems happen just as much in military installations where they believed that they did what they had to in order to secure their networks. i work with people who worked in operations security at AOL, and they tell me that they do nothing but fight security problems and still have spyware on a significant portion of their *own* desktops.

When older versions of MacOS has less market share than they have *now* while the world was far *less* connected to the internet, MacOS also had "its share" of viruses for it. But OSX now has a reasonable default security policy. Now, OSX is in its fourth major release and I believe that there are still zero (non-proof-of-concept) viruses in the wild for it (not NumberOfWindowsWorms * AppleMarketShare or anything like it). I hope that Microsoft learns this lesson.

Hopefully Vista will clean up its act and see the same phenomenon when it comes out! I really hope that this is the case. But WindowsXP has an awful track record in PRACTICE and in REALITY.

Re:Windows is 100% secure, but not 100% safe.

[Just+Some+Guy]

Windows protocols can not be breached in any way

Care to explain that one? Go ahead: we're all ears.

A properly patched and configured Windows system is as safe as any Unix box

You truly believe that a Windows system can be as tight as a locked-down OpenBSD machine, let alone something like Trusted Solaris or TrustedBSD (funded in part by DARPA and the NSA)? Seriously?

Re:In other news Want past "Warp EAL4" security?

[sqlrob]

well documented API'
BWAHAHAHAHAHAAH

There's someone that's never programmed Windows.

I'm SO tired of explaining this...

[LanMan04]

You're exactly right. Here's how it works:

You have this thing called a Protection Profile (PP). It defines the kind of environment the computer/OS will be operating in: Is it networked? What kind of hardware does it have? Software? If it is networked, is the network friendly or hostile? etc.

So, what MS does is have a their OS graded on a really pussy PP (not networked, in a friendly environment, locked in a vault so there's no physical access, etc) and say "Our product is secure (what "secure" means is also outlined in the PP) in this environment!".

The EAL levels only indicate how THOROUGHLY this statement has been validated!

So, if a bunch of security auditors are really, really, really sure that Windows is "secure" (however the PP defines that), in the weak, totally-non-real-world environment outlined in the PP, then it get's a high EAL number. THAT'S IT!

After all, my unpatched Win 98 box is totally secure when OFF AND LOCKED IN A CLOSET!. EAL 5 here I come!

Not true

[Gr8Apes]

If you wish to connect a windows box as is to the network, merely shut down the server service. That takes care of most bad issues while killing any useful sharing services. I believe you'll also have to kill the Computer Browser service, and a few others to be truly safe. Shutting down the Server Service shuts down most open ports - no open ports, no vulnerabilities.

Then you go to mozilla.org, download Firefox, install, and you should be good to go browsing for other patches you might need.

On the other hand, I'd stick any machine behind a router which by default blocks all ports. That's much safer, after all, if you can't see the box, worms/zombies can't infect you.

Failed my check

[MECC]

$ nmap windows2k

Starting Nmap 3.95 ( http://www.insecure.org/nmap/ )
Interesting ports on windows2k:
(The 1662 ports scanned but not shown below are in state: closed)

135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Since actually using windows requires this kind of setup, and closing these ports usually breaks things like outlook and filesharing, I'd say in such cases, windows is still a security failure. At least until the netbios protocol stack gets fixed or removed which seems unlikely.

Re:Failed my check

Breaks Outlook? That is a bit of an exagguration.

First of all, the majoriy of users don't use Outlook with Exchange server. Those ports aren't required for those users.

Second, those who do use Exchange servers still have the option of RPC over HTTP or simply using Outlook Web Access.

Re:Failed my check

[MECC]

Breaks Outlook? That is a bit of an exagguration.

First of all, the majoriy of users don't use Outlook with Exchange server. Those ports aren't required for those users.

Second, those who do use Exchange servers still have the option of RPC over HTTP or simply using Outlook Web Access.


In corporate settings, the majority use exchange. Turning off those ports does in fact prevent outlook from functioning complete with [bells|whistles], causing users to complain - I've done it and seen it happen. OWA lacks the rules/calendaring features that users seem to lust after. After using outlook with exchange, they don't like resorting to OWA. And, the reason I pointed out the netbios/outlook connection in the first place was that it seemed more relevant to the original subject of security ratings, as this is usually of interest to 'corporate' buyers than home users.

Thirdly, MS should have just fixed the vulnerabilities in its netbios protocol stack, or, shipped windows with those ports disabled by default. Then, if a user wants to enable filesharing, they should inform the user its a security problem to do so.

Just pointing out that 'nobody uses thing xyz' doesn't seem like a good reason not to fix a problem.

AND the TCP/IP stack

Which is the little tid-bits they tend to leave out. Sure it's EAL 4+ rated. But only if you:

Remove all networking from the code source
Remove all physical access to the box
Remove physical access to the monitor (putting it inside a bullet-proof glass enclosure)
Require users to remove all clothing and submit to a body-cavity search before operation

Windows is, like, totally secure, dude!

Re:Office Vista Document

[swillden]

What do you mean by Microsoft's open document format not existing?

The format exists, but it's not open per the MA definition. The fact that a schema exists and is published is far from adequate to meet the requirements.

Re:CCS = Entry Level certification; CCS profiles n

Misspelling doesn't have a dash in it.

Where to look

[kaaona]

One may argue the technical merits of CAPP/EAL certifications, but serious competitors in the federal IT market simply can't afford not to make the large investments in time and money to get them. Anyone interested in the details can explore:

http://niap.nist.gov/cc-scheme/in_evaluation.html
http://niap.nist.gov/cc-scheme/vpl/vpl_type.html

EAL4 is the highest of the low assurance levels

EAL1-4 are basically all low assurance levels.
EAL5 is medium assurance
EAL6 and EAL7 are high assurance

The international mutual recognition treaty only works up to and including EAL4.

In the US, above EAL4, NSA does the evaluations. At EAL4 and below, commercial labs do the evaluations.

Under the Common Criteria, the choice of protection profile is critical. You can have an EAL7 brick, and it may be very secure, but not very useful as a computer.

I can't see how...

people say that Windows Admin accounts can't cause as much damage as a root account on *nix systems. I have literally seen a user who was getting low on hard disk space actually delete the system32 directory because she thought it wasn't important. It caused a total system failure (not surprisingly).
Please, I understand that Windows has come a long way, but it still has a long way to go. MS apologists, I really don't get you sometimes. Use your heads.

Re:I can't see how...

So login as root and delete your kernel. You've failed to show how Windows is any more damaging in the same situation.

Addon "Services for UNIX" != core Windows

[dananderson]

You site Microsoft's recent "[Microsoft] Windows Services for UNIX" to support your case. However, that's just an add-on. Microsoft has claimed the core MS Windows software is POSIX-compliant. If the POSIX calls were made part of MS Windows, one can actually use the APIs (assuming they work), without worring that only a few percent of installed systems have the add-on.

Re:Addon "Services for UNIX" != core Windows

[ThinkFr33ly]

Interix is a free download.

In addition, Windows Vista Server will have them pre-installed.

The fact of the matter is, very few people actually use Interix. There just isn't much of a demand.

That wasn't a serious question

[toadlife]

But I expected someone to drop the 'L bomb'.

Re:In other news Want past "Warp EAL4" security?

I thought that within M$ itself, they have to hire consultants to come in and teach their own programmers on their APIs?

Re:In other news Want past "Warp EAL4" security?

[sqlrob]

They do. Mark Russonivich (Sysinternals) goes in to Microsoft regularly.

Re:In other news Want past "Warp EAL4" security?

"here's someone that's never programmed Windows." - by sqlrob (173498) on Friday December 16, @07:50AM

What makes you think the Win32 API (& yes, even the "native real/kernel mode" of NT-based OS) isn't well documented?

See, thing is, because of that statement of yours?

Every compiler I use nowadays & for years now comes with Win32 API documentation, & the MS DDK gives you a TON on native/real/kernel mode, as well as sites like sysinternals.com!

I've been doing EXACTLY that & for over 12-13 years now as a pro!

(& also before that for another 2-3 years in academia & on my own in the shareware/freeware world as well!)

APK

P.S.=> As to my not programming? Well, check here, ok:

http://www.torry.net/quicksearchd.php?String=APK&T itle=Yes

That's only 1 example & the last program listed there got their HIGHEST rating...

(By the way - That's also a rating from my peers (Borland Delphi coders, since that site is also mirrored/hosted @ Borland as well & the site owners are coders also))... apk

Re:In other news Want past "Warp EAL4" security?

[sqlrob]

I've been doing EXACTLY that & for over 12-13 years now as a pro!

And so have I, across several vertical industries. Their documentation is incomplete and inconsistent, especially as regards integration. Their sample are buggy (see the security holes introduced in some ethernet drivers from the DDK samples), and documentation and samples for installing stuff as non-admin users is pitiful.

Re:In other news Want past "Warp EAL4" security?

"And so have I, across several vertical industries." - by sqlrob (173498) on Saturday December 17, @06:11PM

So have I - most of it was contracting, some was permanent.

"Their documentation is incomplete and inconsistent, especially as regards integration. Their sample are buggy (see the security holes introduced in some ethernet drivers from the DDK samples), and documentation and samples for installing stuff as non-admin users is pitiful." - by sqlrob (173498) on Saturday December 17, @06:11PM

I don't find that @ all - I make API calls & they work, pretty simple!

Above all:

IF you found 'bugs' as you state?

Submit this to Microsoft's areas for this on MSDN &/or Technet (whereever it may be) & the knowledgebases & quit complaining - that doesn't fix anything does it?

Personally, again - I haven't run into any problems with their documentation for their API, because the calls I use are just that - function calls. Anything else I just build myself ontop of/with them in use by myself.

APK

P.S.=> You're WAY off-topic here, but opinions, experiences & skillsets (as well as the ability to think & read correctly) vary... be constructive, help fix the problem. You make it sound like the majority of the API is buggy & messed up in documentation, when the results (Windows running on 95-99% of the planet's personal computers to servers) shows QUITE otherwise, as well as their being more Win32 based programs out there for more purposes in software & more drivers for more hardware than any other platform. It's proven flexible & powerful... care to argue with those numbers/facts? apk

Re:In other news Want past "Warp EAL4" security?

[sqlrob]

I have reported bugs to Microsoft, none have ever gotten resolved. This includes a buffer overflow I reported more than a year ago.

If you try to do simple things, the API is documented reasonably well. As soon as you try to step outside the norm (try to integrate a MIME filter into an IE session for example), you will start running into problems, documentation and otherwise.

Re:In other news Want past "Warp EAL4" security?

"I have reported bugs to Microsoft, none have ever gotten resolved. This includes a buffer overflow I reported more than a year ago." - by sqlrob (173498) on Monday December 19, @09:48AM

That MAY (or may not) be an 'isolated incident': I'd push it harder were I you, because you seem to have stumbled upon something you DEFINITELY feel is in error on their websites (your fix, if you have one or not, may be needed for others).

I haven't done or used the API in the exact capacity which you mention, so I can't comment on that particular example you put out, directly.

"If you try to do simple things, the API is documented reasonably well. As soon as you try to step outside the norm (try to integrate a MIME filter into an IE session for example), you will start running into problems, documentation and otherwise." - by sqlrob (173498) on Monday December 19, @09:48AM (#14290705)

Depends on your definition of 'simple' I suppose first of all!

However, like I stated - it's well documented & the examples I've used (when I have had to which is fairly often, especially in languages like VB where you had to do a #DECLARE to get ahold of the API to use it) Well - it worked just fine!

I'd hit MS's website's once more & submit where you thought they had errors OR were weak in their documentation of API calls...

(See, because if what you found's legit, it will & can probably (most likely definitely) help others - pound on their 'door' a BIT harder on it... if you care enough to take the time (or, have the time on your end) to do that, that is).

APK

P.S.=> Stuff like that, if it matters to you? IIRC, gets you in the running for their "MVP" type awards each year iirc... that, & helping others on their websites/newsgroups, etc.... apk