[ISN] Windows 2000 gains government-based security certification

From: InfoSec News (isnat_private)
Date: Tue Oct 29 2002 - 22:57:50 PST

  • Next message: InfoSec News: "[ISN] Wireless WarDrive: Wee Bit of Fun"

    By John Fontana
    Network World Fusion, 10/29/02
    After a nearly three-year process, Microsoft said Tuesday that its
    Windows 2000 operating system has been certified as secure through an
    evaluation process that was developed through the cooperative efforts
    of 15 national governments worldwide.
    The certification means Windows 2000 with Service Pack 3 can be used
    as part of sensitive government security systems without buyers having
    to get special waivers from the National Security Agency or pass
    additional testing. Those security systems would be handling sensitive
    or classified data at government agencies including the Department of
    Defense and civilian contractors.
    The certification does not mean the software is now bulletproof, but
    means the testing has confirmed the code is working as advertised.
    Microsoft admitted that the certification has no direct implications
    for non-government users beyond the awareness that the software has
    passed the test. But the company says that fact is confirmation that
    the vendor has been working hard on security even before it announced
    its Trustworthy Computing initiative in January.
    "This is a demonstration that many aspects of the things that lead to
    trust, security being a notable one, are things that we have paying
    attention to for some period of time," said Microsoft CTO Craig
    Mundie, during a news conference to announce the certification. "For
    people who have concerns on an ongoing basis about our level of
    investment or focus on these questions about all the things that
    ultimately lead to security in computer systems, this is pretty strong
    testimony to the level of effort we have been applying."
    The security certification is defined by the Common Criteria for
    Information Technology Security Evaluation (CCITSE), which is known in
    government circles as Common Criteria certification. The CC
    certification is a globally recognized ISO standard for evaluating
    security features in computer software.
    Nearly 75 products have passed the CC evaluation. SGI in June of this
    year had its Trusted IREX 6.5 and its standard IREX 6.5 operating
    system certified. Sun has had two versions of its operating system CC
    certified. Solaris 8 was certified, as was a "trusted" version with
    strong access control, security labels and software
    compartmentalization. Oracle has had versions 7, 8, and 8i of its
    database evaluated and certified.
    Those products along with Windows 2000 received an Evaluation
    Assurance Level 4 (EAL4), which is described as "the highest level at
    which it is likely to be economically feasible to retrofit to an
    existing application." As part of the evaluation, source code is
    examined and the vendor has to be prepared to "incur additional
    security-specific engineering."
    EAL4 is the highest CC certification level doled out for the 75
    products tested to date, and is the highest level that's recognized by
    all CC country signatories. Above that, vendors are likely to see
    specific demands from individual countries.
    Although complex to decipher, the EAL scheme basically says EAL1 is
    appropriate when requirements for security are "not serious." EAL2 ups
    the ante in asking the product developer for design information and
    testing "consistent with good commercial practice." At EAL3, the
    product is going to be "methodically tested and checked" in a
    CC-accredited lab in a search "for obvious vulnerabilities."
    Mundie said the certification process cost Microsoft "many millons of
    dollars," but would not disclose a specific amount. Other companies
    have reported similar costs.  The independent evaluation was performed
    by the Science Applications International's (SAIC's) Common Criteria
    testing lab, which is one of two-dozen certified and accredited to
    perform the testing.
    Windows 2000 is the first Microsoft product to be CC certified. Mundie
    said Windows XP and Windows .Net Server would also be put through the
    certification process. He said SQL Server, which is currently
    certified as C2 under the government’s Orange Book system, is not
    currently slated to be submitted for CC evaluation.
    Microsoft also went a step further, including certification of a
    number of services within the operating system including multi-master
    directory services, L2TP/IPSec-based virtual private networking, and
    single sign-on.
    To supplement the CC certification, Microsoft will introduce resource
    materials and tools to provide guidance in the deployment and
    operation of Windows 2000 in secure network environments.
    The company also received the highest level of Systematic Flaw
    Remediation certification for Window 2000 as issued by the National
    Information Assurance Partnership (NIAP). The certification means that
    the Microsoft Security Response Center (MSRC) meets the requirements
    for tracking and fixing problems with the software.
    Microsoft officials say no other company has certified a procedure for
    ongoing software maintenance.
    As an international movement, CC has expanded since it began as a
    collaborative effort by five countries in 1996. Today, 15 nations
    formally recognize Common Criteria.
    In the U.S., the mandate to buy CC-evaluated products stems from a
    directive issued two years ago by the National Security Agency (NSA).  
    The directive called The National Security Telecommunications
    Information Systems Policy No. 11 (NSTISP#11), primarily affects
    buying habits in the Department of Defense. But civilian agencies and
    outside government contractors that process sensitive government data
    also need to comply.
    In July, NSA ordered that all new national security systems have to
    run operating systems, applications, firewalls and other security
    equipment that have passed the stringent testing spelled out in Common
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 01:40:38 PST