Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Gets Independent Security Certification

Posted by CowboyNeal on from the go-for-takeoff dept.

linumax writes "Microsoft Corp. on Wednesday clinched Common Criteria security certification from the U.S. government's National Information Assurance Partnership for six versions of its flagship Windows OS. The products receiving CC certification include Windows XP Professional with Service Pack 2 and Windows XP Embedded with Service Pack 2. Four different versions of Windows Server 2003 also received certification. Common Criteria certification, which was ratified as an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security, Lipner said. SuSE Linux ES 9 has already achieved the certification and almost a year away from being released, Red Hat Enterprise Linux 5 is on the path toward EAL4 certification."

16 of 207 comments (clear)

  1. Amazing... by musawilliams · · Score: 3, Insightful

    You pay someone off to give you a cert, then, in the same breath, announce another security vulnerability .

  2. From TFA by TubeSteak · · Score: 4, Insightful
    During the certification review, Lipner said the various versions of Windows XP and Windows Server 2003 were evaluated in more than 20 real-world scenarios or "workloads" in a testing lab. It includes rigorous and exhaustive testing at the source-code level to determine certifications, he explained.

    Critics of Common Criteria certification say the ratings are not a true reflection of the secure nature of a product in general purpose situations because it does not take every general-purpose situation into account.
    No certification process is going to take every situation into account. Windows would never get certified if that was the case. Neither would anything else with a TCP stack.

    I'm just mentioning this to help cut off some of the anti-MS crap that's going to get modded up as insightful.

    Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.
    --
    [Fuck Beta]
    o0t!
    1. Re:From TFA by drsmithy · · Score: 4, Insightful
      The root user on Un*x is more properly compared to the LocalSystem account on Windows.

      There is no real comparison, because the security models are fundamentally different.

      In unix, if you're root, you can do anything. "Security" checks basically start with an "if (UID != 0)".

      In Windows, all accounts are subject to ACLs. Some accounts have more generous ACLs than others, but there is no equivalent to the "can do anything"-ness of a unix root account.

      In fact, the restrictions on the default administrator account on Windows are weaker than those given to administrator accounts on Mac OS X -- a Windows admin can write to \Windows\System32 without elevated privileges, which pretty much means game over if the attacker can get the admin to execute a script (e.g. through a browser flaw) that puts DLL's into the directory. In contrast, a a Mac OS X admin needs to authenticate and temporarily gain elevated privileges to write to the equivalent location, /System/Library.

      This comparison is flawed. An "Administrator" account in OS X is a completely different thing to an "Administrator" account in Windows - not only in concept, but also in execution. An OS X admin account is more properly compared to a "Power User" in Windows - but even then the two are still very different due to the different security models. An OS X "admin" account is simply one that can sudo to root - thus giving it complete control over the entire machine, with no further permissions checks performed at all. Since Windows has no equivalent of root, it has no equivalent to an OS X "Administrator" user. A "Power User" is similar in purpose (limited administrative abilities, but can't destroy the machine wantonly), but very different in execution.

    2. Re:From TFA by drsmithy · · Score: 2, Insightful
      I can attest to that as well. Windows is fairly secure except MSFT made IE such an integral part of Windows. You end up with a situation where Windows is secure but the most accessible and vulnerable part of it can get you right past all those defense. It's akin to putting a screen door on a vault.

      Bollocks. IE is normal user space code just like Firefox or Word. It can't do anything more than any other code running under that user account can.

      The "integration" of IE - in and of itself - doesn't make Windows any less secure, any more than the equivalent functionality in KDE, GNOME or OS X does. The real problem is that IE is full of holes and most people run it as admin, not that IE is "integrated into the OS".

  3. How much did they have to remove? by Anonymous Coward · · Score: 0, Insightful

    IE, networking, Messenger, Windows Media Player, ...?

  4. Does this actually mean anything? by Anonymous Coward · · Score: 5, Insightful

    Does this certification actually mean anything, or is this just yet another Microsoft maneuver to be able to a government/corporate entity "See, we meet specification XXX that you demand software that you use have."

    Microsoft did this with POSIX support for Windows NT; NT's Posix is next-to-useless (they don't have fork(), for example) but Microsoft got it so that they could tell the relevant people "See, NT is posix-aware."

    Another example: Internet Explorer for Solaris. Probably one of the most horrible browsers out there; Microsoft only did it so companies that said "We standardize on one browser for all users" could standardize on IE. Microsoft had no real intention of supporting Solaris.

    In fact, I will go so far to say that Microsoft's proposed "open document format" doesn't exist because Microsoft has any intention of opening up their format, but so that Microsoft can meet Massachusetts' requirement to have an "open" format. This is why Massachusetts should continue to tell Microsoft that they will not use Office Vista until it supports the Open Document standard.

    So this doesn't sound like a typical anti-Microsoft post, I will say that Microsoft products are far easier to learn than the Linux equivalents, and that Microsoft made some beautiful fonts the blow away anything for Linux.

  5. Re:The important thing is the profile. by StikyPad · · Score: 5, Insightful

    To be fair, there is really no such thing as a system that can withstand an attacker who has physical access regardless of what OS you're running. Once an attacker has physical access, all bets are off.

    --
    https://www.eff.org/https-everywhere
  6. Re:The important thing is the profile. by masdog · · Score: 2, Insightful

    On a small scale, you're right. Some of this stuff is out of the reach of most ordinary attackers. Social engineering, especially on the scale that would be required to reach "secure" government, industry, or criminal computers, would be an enormous undertaking for most groups looking to get this information.

    However, I think that organizations like the CIA, KGB, Mossad, and other big-time intelligence agencies would go through that kind of effort to socially engineer access to systems.

    If you can get physical access to the secure computer, chances are you know about the BIOS passwords and somehow acquired them.

    As for decrypting the drive once the image is on the IPOD, I'm not sure how you would do that. It would take a lot of computing power to do it, so I'm guessing that unless you can get it to the NSA, you'll be spending a long time trying to read the drive.

    --
    My Sysadmin Blog
  7. Re:The important thing is the profile. by general_re · · Score: 2, Insightful
    Social engineering, especially on the scale that would be required to reach "secure" government, industry, or criminal computers, would be an enormous undertaking for most groups looking to get this information.

    I think you underestimate (or overlook entirely) the efficacy of low-tech methods of social engineering. If I have possession of your secure computer, and the information on it is valuable enough to me, I'll just fucking beat the password/token/keycard/whatever out of you.

    Sadism trumps encryption, which is why physical security is a critical part of any security scheme.

    --
    ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
  8. Re:Soon to hit news stands by GotenXiao · · Score: 2, Insightful

    There is no secure Windows box. There are only partially secure Windows boxes.

    And, a default Windows install can be connected to the net with no firewall, NAT or proxy, or any AV software for like 8 seconds before becoming infected with Skynet and its kin.

    --
    Goten Xiao
  9. Re:The important thing is the profile. by Schraegstrichpunkt · · Score: 2, Insightful

    To paraphrase Schneier, it's important to answer the question, "Secure against what? Secure from whom?" I doubt your encrypted filesystem is going to be secure against someone dropping a grenade on the CPU, for example.

    --
    http://outcampaign.org/
  10. Re:The important thing is the profile. by Anonymous Coward · · Score: 1, Insightful

    How does an OS that doesn't get booted, sitting on a hard drive that has been removed from the machine only accept anything?

  11. Re:Infinite recursion? by toadlife · · Score: 4, Insightful

    When you clear the security log in windows, the log is cleared and then an entry is put in that says you cleared the log. You can clear the log a million times over and there will allwats be one entry at the beggining saying that "you cleared the log".

    You can't delete the logs....okay, well you [i]can[/i] (I think), by stopping...err, KILLING....the event log service, but another policy can be put into place that causes the system to shut down immidiately if the system is unable to log security events. You could change the policy, but then that would generate a log entry too, and you would have to kill the event log service and then delete log to get rid of that which would clear all of the other events too.....

    In situations where security is paramount, a third party in your organization will be auditing the security logs and if you cleared them to cover something up, a large chunk of time would be missing from the logs. This would raise reg flags.

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  12. worthless by penguin-collective · · Score: 2, Insightful

    CC, like other such certifications, is a checklist of features: it requires systems to have lots of security features. Satisfying such a checklist doesn't tell you anything about whether a system is actually secure, it supposedly tells you about whether you can or cannot implement complex security procedures. But it doesn't even tell you that because there is no guarantee that the features work and interact as intended, and, on the other hand, systems not formally satisfying the requirements may still support your security procedures.

    Companies like Microsoft love standards like CC because they don't have to provide actual security, they just have to add lots of features to their operating system, and Microsoft is great at adding features.

    If you want to achieve real security, your best bet is to remove as much unnecessary functionality from a system as possible, and that includes a lot of the junk that CC requires.

  13. Re:The important thing is the profile. by TrappedByMyself · · Score: 2, Insightful

    It may be possible two break into any system if you have physical accesss, it is however not possible without rebooting the machine. That means that there ARE security policies that will withstand physical access. E.g. In my security class the idea was launched to encrypt stuff in special ways, and to have a key deletion schedule that will allow you to 1) determine the smallest possible window of time when the system was broken 2) prevent an attacker from inserting messages into the system, even with root access to the system. If he reboots, the key will have been deleted, the system will not be able to read its own data, and will not be able to communicate with the rest of the network 3) if the encrypted data is accessible in any way, it can be made possible to check against forgeries, and still accept the data generated before the breach (the data might have been deleted of course)

    Fine, then yank the power cord, bust open the case and remove the drive. Pop a USB adapter on it and plug it into another machine. Now you can start working on getting the data without having to boot from the drive or without any other part of the system getting in the way.
    Or, just have the person who gave you physical access log in for you.

    --

    Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?
  14. Re:The important thing is the profile. by TrueKonrads · · Score: 2, Insightful

    How about you install key-logger and wait for the fireworks? Any kind of physical security that can be trusted upon is hard to obtain. The IBM 4758 PCI Cryptographic Coprocessor is used in environments where it is important to prevent tampering. It has been said many times before, that the only way to have a "secure" environment is to guard all access points with armed marines. This, naturally, is not feasible and physical security will always be an easy point of attack. Thus, the grand-parents post is valid.

    --
    Lone Gunmen crew.