Windows Gets Independent Security Certification

linumax writes "Microsoft Corp. on Wednesday clinched Common Criteria security certification from the U.S. government's National Information Assurance Partnership for six versions of its flagship Windows OS. The products receiving CC certification include Windows XP Professional with Service Pack 2 and Windows XP Embedded with Service Pack 2. Four different versions of Windows Server 2003 also received certification. Common Criteria certification, which was ratified as an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security, Lipner said. SuSE Linux ES 9 has already achieved the certification and almost a year away from being released, Red Hat Enterprise Linux 5 is on the path toward EAL4 certification."

From TFA

[TubeSteak]

During the certification review, Lipner said the various versions of Windows XP and Windows Server 2003 were evaluated in more than 20 real-world scenarios or "workloads" in a testing lab. It includes rigorous and exhaustive testing at the source-code level to determine certifications, he explained.

Critics of Common Criteria certification say the ratings are not a true reflection of the secure nature of a product in general purpose situations because it does not take every general-purpose situation into account.

No certification process is going to take every situation into account. Windows would never get certified if that was the case. Neither would anything else with a TCP stack.

I'm just mentioning this to help cut off some of the anti-MS crap that's going to get modded up as insightful.

Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.

Re:From TFA

[drsmithy]

The root user on Un*x is more properly compared to the LocalSystem account on Windows.

There is no real comparison, because the security models are fundamentally different.

In unix, if you're root, you can do anything. "Security" checks basically start with an "if (UID != 0)".

In Windows, all accounts are subject to ACLs. Some accounts have more generous ACLs than others, but there is no equivalent to the "can do anything"-ness of a unix root account.

In fact, the restrictions on the default administrator account on Windows are weaker than those given to administrator accounts on Mac OS X -- a Windows admin can write to \Windows\System32 without elevated privileges, which pretty much means game over if the attacker can get the admin to execute a script (e.g. through a browser flaw) that puts DLL's into the directory. In contrast, a a Mac OS X admin needs to authenticate and temporarily gain elevated privileges to write to the equivalent location, /System/Library.

This comparison is flawed. An "Administrator" account in OS X is a completely different thing to an "Administrator" account in Windows - not only in concept, but also in execution. An OS X admin account is more properly compared to a "Power User" in Windows - but even then the two are still very different due to the different security models. An OS X "admin" account is simply one that can sudo to root - thus giving it complete control over the entire machine, with no further permissions checks performed at all. Since Windows has no equivalent of root, it has no equivalent to an OS X "Administrator" user. A "Power User" is similar in purpose (limited administrative abilities, but can't destroy the machine wantonly), but very different in execution.

Does this actually mean anything?

Does this certification actually mean anything, or is this just yet another Microsoft maneuver to be able to a government/corporate entity "See, we meet specification XXX that you demand software that you use have."

Microsoft did this with POSIX support for Windows NT; NT's Posix is next-to-useless (they don't have fork(), for example) but Microsoft got it so that they could tell the relevant people "See, NT is posix-aware."

Another example: Internet Explorer for Solaris. Probably one of the most horrible browsers out there; Microsoft only did it so companies that said "We standardize on one browser for all users" could standardize on IE. Microsoft had no real intention of supporting Solaris.

In fact, I will go so far to say that Microsoft's proposed "open document format" doesn't exist because Microsoft has any intention of opening up their format, but so that Microsoft can meet Massachusetts' requirement to have an "open" format. This is why Massachusetts should continue to tell Microsoft that they will not use Office Vista until it supports the Open Document standard.

So this doesn't sound like a typical anti-Microsoft post, I will say that Microsoft products are far easier to learn than the Linux equivalents, and that Microsoft made some beautiful fonts the blow away anything for Linux.

Re:The important thing is the profile.

[StikyPad]

To be fair, there is really no such thing as a system that can withstand an attacker who has physical access regardless of what OS you're running. Once an attacker has physical access, all bets are off.

Re:Infinite recursion?

[toadlife]

When you clear the security log in windows, the log is cleared and then an entry is put in that says you cleared the log. You can clear the log a million times over and there will allwats be one entry at the beggining saying that "you cleared the log".

You can't delete the logs....okay, well you [i]can[/i] (I think), by stopping...err, KILLING....the event log service, but another policy can be put into place that causes the system to shut down immidiately if the system is unable to log security events. You could change the policy, but then that would generate a log entry too, and you would have to kill the event log service and then delete log to get rid of that which would clear all of the other events too.....

In situations where security is paramount, a third party in your organization will be auditing the security logs and if you cleared them to cover something up, a large chunk of time would be missing from the logs. This would raise reg flags.