Windows 2000 gains government-based security certification

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2002/1029mscert.html

By John Fontana
Network World Fusion, 10/29/02

After a nearly three-year process, Microsoft said Tuesday that its
Windows 2000 operating system has been certified as secure through an
evaluation process that was developed through the cooperative efforts
of 15 national governments worldwide.

The certification means Windows 2000 with Service Pack 3 can be used
as part of sensitive government security systems without buyers having
to get special waivers from the National Security Agency or pass
additional testing. Those security systems would be handling sensitive
or classified data at government agencies including the Department of
Defense and civilian contractors.

The certification does not mean the software is now bulletproof, but
means the testing has confirmed the code is working as advertised.

Microsoft admitted that the certification has no direct implications
for non-government users beyond the awareness that the software has
passed the test. But the company says that fact is confirmation that
the vendor has been working hard on security even before it announced
its Trustworthy Computing initiative in January.

"This is a demonstration that many aspects of the things that lead to
trust, security being a notable one, are things that we have paying
attention to for some period of time," said Microsoft CTO Craig
Mundie, during a news conference to announce the certification. "For
people who have concerns on an ongoing basis about our level of
investment or focus on these questions about all the things that
ultimately lead to security in computer systems, this is pretty strong
testimony to the level of effort we have been applying."

The security certification is defined by the Common Criteria for
Information Technology Security Evaluation (CCITSE), which is known in
government circles as Common Criteria certification. The CC
certification is a globally recognized ISO standard for evaluating
security features in computer software.

Nearly 75 products have passed the CC evaluation. SGI in June of this
year had its Trusted IREX 6.5 and its standard IREX 6.5 operating
system certified. Sun has had two versions of its operating system CC
certified. Solaris 8 was certified, as was a "trusted" version with
strong access control, security labels and software
compartmentalization. Oracle has had versions 7, 8, and 8i of its
database evaluated and certified.

Those products along with Windows 2000 received an Evaluation
Assurance Level 4 (EAL4), which is described as "the highest level at
which it is likely to be economically feasible to retrofit to an
existing application." As part of the evaluation, source code is
examined and the vendor has to be prepared to "incur additional
security-specific engineering."

EAL4 is the highest CC certification level doled out for the 75
products tested to date, and is the highest level that's recognized by
all CC country signatories. Above that, vendors are likely to see
specific demands from individual countries.

Although complex to decipher, the EAL scheme basically says EAL1 is
appropriate when requirements for security are "not serious." EAL2 ups
the ante in asking the product developer for design information and
testing "consistent with good commercial practice." At EAL3, the
product is going to be "methodically tested and checked" in a
CC-accredited lab in a search "for obvious vulnerabilities."

Mundie said the certification process cost Microsoft "many millons of
dollars," but would not disclose a specific amount. Other companies
have reported similar costs.  The independent evaluation was performed
by the Science Applications International's (SAIC's) Common Criteria
testing lab, which is one of two-dozen certified and accredited to
perform the testing.

Windows 2000 is the first Microsoft product to be CC certified. Mundie
said Windows XP and Windows .Net Server would also be put through the
certification process. He said SQL Server, which is currently
certified as C2 under the government’s Orange Book system, is not
currently slated to be submitted for CC evaluation.

Microsoft also went a step further, including certification of a
number of services within the operating system including multi-master
directory services, L2TP/IPSec-based virtual private networking, and
single sign-on.

To supplement the CC certification, Microsoft will introduce resource
materials and tools to provide guidance in the deployment and
operation of Windows 2000 in secure network environments.

The company also received the highest level of Systematic Flaw
Remediation certification for Window 2000 as issued by the National
Information Assurance Partnership (NIAP). The certification means that
the Microsoft Security Response Center (MSRC) meets the requirements
for tracking and fixing problems with the software.

Microsoft officials say no other company has certified a procedure for
ongoing software maintenance.

As an international movement, CC has expanded since it began as a
collaborative effort by five countries in 1996. Today, 15 nations
formally recognize Common Criteria.

In the U.S., the mandate to buy CC-evaluated products stems from a
directive issued two years ago by the National Security Agency (NSA).  
The directive called The National Security Telecommunications
Information Systems Policy No. 11 (NSTISP#11), primarily affects
buying habits in the Department of Defense. But civilian agencies and
outside government contractors that process sensitive government data
also need to comply.

In July, NSA ordered that all new national security systems have to
run operating systems, applications, firewalls and other security
equipment that have passed the stringent testing spelled out in Common
Criteria.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.