Windows Gets Independent Security Certification

linumax writes "Microsoft Corp. on Wednesday clinched Common Criteria security certification from the U.S. government's National Information Assurance Partnership for six versions of its flagship Windows OS. The products receiving CC certification include Windows XP Professional with Service Pack 2 and Windows XP Embedded with Service Pack 2. Four different versions of Windows Server 2003 also received certification. Common Criteria certification, which was ratified as an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security, Lipner said. SuSE Linux ES 9 has already achieved the certification and almost a year away from being released, Red Hat Enterprise Linux 5 is on the path toward EAL4 certification."

Hehe

It's as secure as 95% of the destops out there. That's a good score!

In other news...

[deathbyzen]

Pigs have flown and it's getting a little chilly in Hell.

Perfect timing

[castoridae]

Now all the US police departments (that have to use EAL-4 systems) can buy upgrades from Win2000 to XP. Perfect timing, with all that DHS money coming down the pipe right now...

The important thing is the profile.

[El+Cubano]

I took a security-related class not too long ago. The prof pointed out that the CC is basically worthless. The important thing is the profile. For example, he said most CC certifications are given out for a profile of a system on a friendly network that is not physically accessible to untrusted users. How useful is that?

He also said something to the effect of: You can claim that your security policy has never been breached, as long as your policy is to not check security.

The problem is that government perpetuates this by requiring people/companies to spend tons of money on this stuff to get "approved" for government use.

Re:The important thing is the profile.

[StikyPad]

To be fair, there is really no such thing as a system that can withstand an attacker who has physical access regardless of what OS you're running. Once an attacker has physical access, all bets are off.

Of course...

[Chris+Bradshaw]

For those who don't have the foggiest... More info on Common Criteria Certification can be found Here

I hereby announce this..

[mnmn]

I am officially releasing my certification of "The Highest Level Of Security", and giving it to my pet OS, ELKS!

Therefore, ELKS is the most secure OS in the world.

The press meeting will be at 24:01 December 31st.

From TFA

[TubeSteak]

During the certification review, Lipner said the various versions of Windows XP and Windows Server 2003 were evaluated in more than 20 real-world scenarios or "workloads" in a testing lab. It includes rigorous and exhaustive testing at the source-code level to determine certifications, he explained.

Critics of Common Criteria certification say the ratings are not a true reflection of the secure nature of a product in general purpose situations because it does not take every general-purpose situation into account.

No certification process is going to take every situation into account. Windows would never get certified if that was the case. Neither would anything else with a TCP stack.

I'm just mentioning this to help cut off some of the anti-MS crap that's going to get modded up as insightful.

Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.

Re:From TFA

[NutscrapeSucks]

Not to mention that Windows does have certain security features that are simply not present in standard Unix.

For example, an administrator can be denied access to a file. The admin can change the ACLs by taking ownership, but doing this generates a log event. Deleting the logs generates another log event. AFAIK, it's impossible to restrict the unix superuser in this way.

Probably not important in most environments, but for government-type security it can be.

Re:From TFA

[plsuh]

For example, an administrator can be denied access to a file. The admin can change the ACLs by taking ownership, but doing this generates a log event. Deleting the logs generates another log event. AFAIK, it's impossible to restrict the unix superuser in this way.

You're comparing an administrator user (which is a preset level of privilege on Windows) with the root user on a Un*x system, which is apples to oranges. The root user on Un*x is more properly compared to the LocalSystem account on Windows. The key difference is that the LocalSystem account never has a password so you can never log in as LocalSystem. However, many Un*x systems (e.g. Mac OS X) also have root accounts that don't have a password (and thus you cannot log in as root) or at least disallow remote root logins, giving them similar levels of account protection.

In fact, the restrictions on the default administrator account on Windows are weaker than those given to administrator accounts on Mac OS X -- a Windows admin can write to \Windows\System32 without elevated privileges, which pretty much means game over if the attacker can get the admin to execute a script (e.g. through a browser flaw) that puts DLL's into the directory. In contrast, a a Mac OS X admin needs to authenticate and temporarily gain elevated privileges to write to the equivalent location, /System/Library. Even if an attacker fools a Mac OS X admin into running a script, there is still the need to authenticate which gives the admin a chance to halt the attack.

--Paul

Re:From TFA

[drsmithy]

The root user on Un*x is more properly compared to the LocalSystem account on Windows.

There is no real comparison, because the security models are fundamentally different.

In unix, if you're root, you can do anything. "Security" checks basically start with an "if (UID != 0)".

In Windows, all accounts are subject to ACLs. Some accounts have more generous ACLs than others, but there is no equivalent to the "can do anything"-ness of a unix root account.

In fact, the restrictions on the default administrator account on Windows are weaker than those given to administrator accounts on Mac OS X -- a Windows admin can write to \Windows\System32 without elevated privileges, which pretty much means game over if the attacker can get the admin to execute a script (e.g. through a browser flaw) that puts DLL's into the directory. In contrast, a a Mac OS X admin needs to authenticate and temporarily gain elevated privileges to write to the equivalent location, /System/Library.

This comparison is flawed. An "Administrator" account in OS X is a completely different thing to an "Administrator" account in Windows - not only in concept, but also in execution. An OS X admin account is more properly compared to a "Power User" in Windows - but even then the two are still very different due to the different security models. An OS X "admin" account is simply one that can sudo to root - thus giving it complete control over the entire machine, with no further permissions checks performed at all. Since Windows has no equivalent of root, it has no equivalent to an OS X "Administrator" user. A "Power User" is similar in purpose (limited administrative abilities, but can't destroy the machine wantonly), but very different in execution.

trusted != secure

[evenprime]

Pay attention to what the linked wikipedia story says:
Higher EAL levels do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively validated.

This just means that it does what they claim. I'd be more interested in seeing what the security claims were....

Does this actually mean anything?

Does this certification actually mean anything, or is this just yet another Microsoft maneuver to be able to a government/corporate entity "See, we meet specification XXX that you demand software that you use have."

Microsoft did this with POSIX support for Windows NT; NT's Posix is next-to-useless (they don't have fork(), for example) but Microsoft got it so that they could tell the relevant people "See, NT is posix-aware."

Another example: Internet Explorer for Solaris. Probably one of the most horrible browsers out there; Microsoft only did it so companies that said "We standardize on one browser for all users" could standardize on IE. Microsoft had no real intention of supporting Solaris.

In fact, I will go so far to say that Microsoft's proposed "open document format" doesn't exist because Microsoft has any intention of opening up their format, but so that Microsoft can meet Massachusetts' requirement to have an "open" format. This is why Massachusetts should continue to tell Microsoft that they will not use Office Vista until it supports the Open Document standard.

So this doesn't sound like a typical anti-Microsoft post, I will say that Microsoft products are far easier to learn than the Linux equivalents, and that Microsoft made some beautiful fonts the blow away anything for Linux.

What does EAL4 mean?

[danFL-NERaves]

Copied verbatim from the Common Criteria v2.1 specification. I can't make heads nor tails of it:

Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed

Objectives

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line.

EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Assurance components

EAL4 (see Table 6.5) provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.

The analysis is supported by independent testing of the TOE security functions, evidence of developer testing based on the functional specification and high-level design, selective independent confirmation of the developer test results, strength of function analysis, evidence of a developer search for vulnerabilities, and an independent vulnerability analysis demonstrating resistance to penetration attackers with a low attack potential.

EAL4 also provides assurance through the use of development environment controls and additional TOE configuration management including automation, and evidence of secure delivery procedures.

This EAL represents a meaningful increase in assurance from EAL3 by requiring more design description, a subset of the implementation, and improved mechanisms and/or procedures that provide confidence that the TOE will not be tampered with during development or delivery.

Assurance class
        Assurance components
Class ACM: Configuration management
        ACM_AUT.1 Partial CM automation
        ACM_CAP.4 Generation support and acceptance procedures
        ACM_SCP.2 Problem tracking CM coverage
Class ADO: Delivery and operation
        ADO_DEL.2 Detection of modification
        ADO_IGS.1 Installation, generation, and start-up procedures
Class ADV: Development
        ADV_FSP.2 Fully defined external interfaces
        ADV_HLD.2 Security enforcing high-level design
        ADV_IMP.1 Subset of the implementation of the TSF
        ADV_LLD.1 Descriptive low-level design
        ADV_RCR.1 Informal correspondence demonstration
        ADV_SPM.1 Informal TOE security policy model
Class AGD: Guidance documents
        AGD_ADM.1 Administrator guidance
        AGD_USR.1 User guidance
Class ALC: Life cycle support
        ALC_DVS.1 Identification of security measures
        ALC_LCD.1 Developer defined life-cycle model
        ALC_TAT.1 Well-defined development tools
Class ATE: Tests
        ATE_COV.2 Analysis of coverage
        ATE_DPT.1 Testing: high-level design
        ATE_FUN.1 Functional testing
        ATE_IND.2 Independent testing - sample
Class AVA: Vulnerability assessment
        AVA_MSU.2 Validation of analysis
        AVA_SOF.1 Strength of TOE security function evaluation
        AVA_VLA.2 Independent vulnerability analysis

Soon to hit news stands

[Kamiza+Ikioi]

"This just in: Businesses and Government IT Professionals quickly abandon Common Criteria security certification as a security standard of any useful purpose."

From Wikipedia on a previous certification: "The fact that Microsoft Windows 2000 remains an ISO 15408 certified product, without including the application of any Microsoft security vulnerability patches in its evaluated configuration, shows both the limitation and strength of an evaluated configuration."

I believe that it also shows the limitation and inherent weakness of this criteria as a "security" certification or a confidence booster for consumers. Unless, of course, anyone here reasonably believes that any completely unpatched version of Windows is secure by any stretch of the imagination. I read about a machine like that once that never needed patching... it was unplugged from the net, stripped of all peripherals, dipped in molten lead, and buried inside 10m^3 of concrete and dropped into the middle of the ocean, thus becoming the most secure PC ever. I think it ran FreeBSD, too.

Take long?

[StikyPad]

Well, it only took 4 years to finally certify XP. Although I guess that's not bad when you consider that in another 4 years they'll have Vista to start evaluating.

CCS = Entry Level certification; CCS profiles need

[dananderson]

The Common Criterial Security (CCS) Certification is good, but not great. It's equivalent to Entry-level certification. Yes, it's the highest Entry-level certification, but other Operating Systems, such as Linux, Solaris, and other UNIX flavors have long had it.

What's important is CCS Profiles, which allow one to tune the OS to the security level you need ("one size does not fit all"). AFAIK, MS Windows does not have profiles.

That's said, it's great that Microsoft is starting to get serious about security.

Mac OS X 10.3.6 is Common Criteria certified

[DrZiplok]

See http://niap.nist.gov/cc-scheme/st/ST_VID4012.html

EAL means nothing without PP (they've got one!)

[McMuffin+Man]

For those of you who haven't done Common Criteria, a few clarifications:

EAL stands for "Evaluation Assurance Level". Your EAL level describes the degree to which you demonstrated your claims. It says almost nothing about what those claims are. It's an exaggeration to say you could get EAL 4 on a brick by claiming that it would stay put when you dropped it, but not a big one.

The claims are contained in your Security Target (ST), which is a series of claims about the Target of Evaluation (ToE). Your ST doesn't necessarily have to include many claims relevant to good security, and your ToE can exclude many subsystems and capabilities of the system being certified. To use a pre-CC example, Windows NT got an Orange Book certification by specifying that the certified system could not be connected to a network.

If you want to adhere to a standard that tries to verify that your ToE includes capabilities that make your device useful and that your ST makes claims which really mean something about the security properties of device, you demonstrate compliance with a published Protection Profile (PP). In the US, there are a series of PP's published . These PP's describe relevant capabilities and security properties for systems used in various roles (for example, a traffic filter firewall for low risk environments).

Without a PP, the only way to know what that EAL 4+ actually means is to closely read the ToE and the ST to figure out just how thin they sliced the salami.

Having said all that, a tiny bit of research confirms that Microsoft actually certified these systems against the Controlled Access PP. This is a basic robustness standard (by comparison, Red Hat Linux 5 is also certified against the Labeled Security PP and the Role Based Access Control PP, which assert more robust security capabilities), but it's quite a bit more than nothing, and quite a bit more than many companies do to get their "we do Common Criteria" marketing claim.

Color me impressed.

The "common criteria" are very weak

[Animats]

NSA originally had the Orange Book security standards, which ranged from class C1 (Discretionary access protection, i.e. standard UNIX), up to class A1 (formally verified mandatory protection). These were serious security standards, issued in 1985. Compliance was tough, and testing was by NSA. But A few systems passed testing. Trusted Xenix made it to level B2. The WANG SCOMP, a special-purpose secure machine, made it to level A1 in 1984. That was the high water mark of operating system security.

Vendors hated this process. First, the vendors didn't control the test process - the National Security Agency's Central Security Service did. NSA's policy back then was that you got two tries to pass validation. On the first try, the vendor was told of problems found, and given a chance to fix them. The second try was strictly pass/fail, and might include tests that the vendor had never seen. So it was quite possible, and common, for products to flunk and be cut out of procurements.

The Common Criteria process, on the other, hand, is conducted by third party labs paid by the vendor. So they're very "responsive" to the vendor.

The "Common Criteria" are comparable to the class C Orange Book standards. They're very weak. There was heavy lobbying by the computer industry to water down the Orange Book standards, and that lobbying was successful.

The evaluation report for Windows XP is online. It's worth reading, even though it's long.

Re:Infinite recursion?

[toadlife]

When you clear the security log in windows, the log is cleared and then an entry is put in that says you cleared the log. You can clear the log a million times over and there will allwats be one entry at the beggining saying that "you cleared the log".

You can't delete the logs....okay, well you [i]can[/i] (I think), by stopping...err, KILLING....the event log service, but another policy can be put into place that causes the system to shut down immidiately if the system is unable to log security events. You could change the policy, but then that would generate a log entry too, and you would have to kill the event log service and then delete log to get rid of that which would clear all of the other events too.....

In situations where security is paramount, a third party in your organization will be auditing the security logs and if you cleared them to cover something up, a large chunk of time would be missing from the logs. This would raise reg flags.