How to get certified security for Win2k, by Microsoft
Lock up your network, no secondary boot devices, stay away from the Net, no mad admins, etc...
Windows users whose spirits lifted at this week's announcement of Common Criteria certification* for Microsoft's Windows 2000 would do well to take a look at some of the assumptions and restrictions associated with the tested system. While perhaps not as extreme as when NT passed Orange book certification so long as it wasn't connected to a network, these do seem just a little restrictive and artificial.
Not, of course, that it's much different for any other manufacturer's products - security certifications are all very well, but tend to become of doubtful value as soon as the real world starts creeping in.
You can find various assumptions about the Common Criteria test system listed here, and indeed if you rattle around the general vicinity on TechNet you'll find lots of information about putting together your own test system, and - more usefully - sensible advice for securing your systems in the real world. Here though we have a description of an "evaluated configuration," consisting of a TOE (Target of Evaluation) which "includes a homogenous set of Windows 2000 systems that can be connected via their network interfaces and may be organized into domains." OK?
Now, if you tear down to 3.3, Connectivity Assumptions, you'll see these include "all connections to peripheral devices reside within the controlled access facilities" and "any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. The TOE is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain. There are no security requirements that address the need to trust external systems or the communications links to such systems."
In the first case therefore we're talking about the physical location of the system being secure, while the second has a number of implications. The "same management control" and "same security policy constraints" mean that anything the TOE communicates with has to be, effectively, part of the TOE or the certification doesn't apply. Lob in other operating systems (even Microsoft ones, never mind Linux, and there's goes any dream you had of Common Criteria security. As for: "There are no security requirements that address the need to trust external systems or the communications links to such systems," we think that boils down to 'anything outside of the TOE is the Badlands.'
Section 3.4 is pretty self-explanatory, no crazy and/or embittered staff allowed (we rather like A.NO_EVIL_ADM though) while 3.5 requires padlock on processors, security hardware and security software. "The hardware protects the TSF in ensuring that only the TSF can be started" means no boot floppies, and these days no ability to boot CDs either.
The security professional who drew our attention to this wishes to remain anonymous (thanks anyway, masked man), but comments: "So maybe not quite as restricted as the original Windows NT non-networked certification, but still a far cry from most installations. Microsoft/SAIC [ Science Applications International Corp, the testing outfit] appear to have embraced and extended the CAPP profiles - I think in an honest fashion, though picking a few extra policies (on top of CAPP) may make it harder for the competition to do a like-for-like comparison. There are other profiles, though - COTS and CSPP are also appropriate." ®
* We have had numerous explanations as to why Solaris 8 is both certified and in the process of certification. Thanks all of you, but here's the one from Jane Medefesser, Senior Manager, Solaris Security Evaluations, who can presumably be deemed to know about this stuff:
"Solaris 8 FCS (First Customer Ship) passed Common Criteria Certification in November 2000, as you stated in your article. The Solaris 8 which is pending certification is an update release to the FCS version. The update release contains hardware features not present in our FCS version that were not covered in the original security target. These hardware features support our midrange and high end servers, which again, were not released at the time Solaris 8 FCS was released.
"New functionality to an evaluated scheme cannot always be grandfathered into the old certificate, therefore a new evaluation must be performed. Microsoft will find this out as time goes on, if a new Intel platform is introduced that allows users to do new and fantastic things never before possible. At that time, the new hardware will not be considered 'secure' under Common Criteria unless it goes through another evaluation."