certification microsoft
Microsoft Windows and the Common Criteria Certification Part I
Articles
Authors
Blogs
Books
ISA Server Articles
Links
Message Boards
Newsletter
RSS
Security Tests
Services
Software
White Papers
Site Search
Microsoft Windows and the Common Criteria Certification Part I
Sponsored by: Techgenix Ltd.
Published: Jun 17, 2004
Updated: Jul 20, 2004
Section:
Articles :: Misc Network Security
Author:
Robert J. Shimonski
Printable Version
Adjust font size:
Rating: 4/5 - 46 Votes
1
2
3
4
5
In today’s computer networks, it is important to start to concern yourself with another level of detail in security other than how to ‘harden a system’ by killing unneeded services or adding yet another service pack or hotfix to your system(s). In this article set, we will explore Common Criteria Certification, what it is and what it means.
>> -->
You may have heard of this before. You may have heard something like the Windows 2000 operating system has achieved Common Criteria certification at Evaluation Assurance level 4 (EAL-4). The question is, do you know what this means, what it means to your organization or in the world of security? In this article we will explain what the Common Criteria Certification is and what the EAL levels are, why they are important and broaden you horizons in yet another area of systems security. In Part II of this article set we will look at how it directly relates to the Windows product lines (XP, 2000, 2003) and why its important to know and understand.
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
What is the Common Criteria Certification?
As Security Analysts, we are always compelled to produce only high quality code (if we are coders), or highly secured networks that still function in a business environment. If you think about it, all infrastructure devices runs some form of ‘code’ so basically, it’s important to produce high quality code. Why did I not say, ‘highly secure’ code? Well, if code was of high quality (going through a strict QA –quality assurance- process) then we would not have ‘exploits’ of that code on a daily basis. Writing high quality code is really what stops 90% of the flaws in computer systems and the holes in which tons of virus’s exploit yearly. So, in turn since everything revolves around ‘money’, its imperative to be ‘first to market’ – so, there you have it – catch-22. The Common Criteria Certification (much like ICSA labs for most Firewall products today), is a certification earned to ‘prove’ that a product such as Microsoft Windows 2000 is ‘certifiably’ tested and proven safe at a certain level. Scary enough, many products miss this certification for not passing its standards. The standards if you will are the EAL levels which we will discuss later in this article.
Remember, Security starts with solid software programming, good quality code. Then, the ‘testing’ of that code is what implies its safety. As well, once you create good quality software, you have to be aware that it needs to continue to be evaluated to maintain that status which means that it’s important to have a support system in place to ‘fix’ what become broke through trial and error. That means, Joe is sitting at home and installed some weird 16-bit program that wasn’t tested by the vendor selling the software and whalla – a security vulnerability is born for whatever reason. That reason could be that it overwrote something and that created a problem. The software vendor now needs to follow up on the problem and if widespread enough, create a ‘hotfix’ to solve the problem. All this means is that the software vendor probably replaced a few program files with newer versions that aren’t exploitable by that last problem, whatever it may be. Not to sound ridiculous here, but this is really the roots of what this certification means. To keep selling code, its probably wise to show the world it has been rigorously tested and proven safe by a third party not directly tied to the pocketbooks of the software vendor company… thus – common criteria certification is born.
Is Windows Server 2003 certified? Well, no. Since this is a ‘Windows’ security site, I will say here and now that Windows 2000 has been certified by the Common Criteria Certification. It is a fact that Windows Server 2003 has not yet been certified, but not that it doesn’t rate the certification or failed it by any means; the certification process takes years and it hasn’t been completed as of yet. There is a link I placed at the end of this article to show the link on Microsoft.com that shows this information. Eventually it will complete testing (which sometimes lasts years as it is so rigorous) and be certified as well.
Now, that you have a clear picture of why this certification exists, let’s get to the technical mumbo-jumbo. The Common Criteria is an international standard ratified in 1999. This standard now replaces an older standard which if you remember from your NT 4.0 days… is the C2.
What is C2? The rating ‘C2’ is a rate given by the NCSC. The National Computer Security Center (or NCSC) evaluates the products against the DoD (Department of Defense) TCSEC which stands for ‘Trusted Computer System Evaluation Criteria’. That C2 rating is found in the Orange Book (named this because it has an orange cover). C2 rating is much like the Common Criteria Certification – it’s a set of testable standards that a product needs to be verified against to prove its worth. C2 was the old way, Common Criteria Certification is the new way.
It should be noted that the Orange Book evaluates standalone systems only; it does not evaluate the client to the server security and should be noted. The Red book extends coverage to networked systems, not just standalone systems.
Since the Common Criteria is multinational, then that means worldwide use of a certified product should equal more safety, more security for the customers using the product. This doesn’t mean that because you have the software incorrectly configured that it’s the vendor’s problem – that’s your problem. If you were completely unable to stop something because your product was defective, then it’s the vendor’s problem.
Now that we understand the Common Criteria, les look at the EAL levels. The Common Criteria specify a series of Evaluation Assurance Levels (EALs) for products that are under evaluation, such as Windows Server 2003.
Understanding EAL Levels
With the Common Criteria, EAL levels are quite simply used to show ‘strength’
A higher EAL certification ultimately specifies a higher level of confidence that a vendors products are working well, and able to be secure. Not a small task these days.
Windows 2000 is certified…Like I mentioned before, Windows 2000 achieved the certification. Testing for Microsoft Windows 2000 was completed not too long ago and was awarded EAL 4 + Flaw Remediation. This assures that you are getting a well tested product.
EAL’s (or Evaluation Assurance Levels) are just that… levels that must be achieved by the product under evaluation. The EAL’s are based on a very simple thought – the degree of flexibility and use of a system as well as the level of security assurance provided with that level of use. The ‘EAL’ is the definition of how that particular system was tested. This is a great thing, a product that works as advertised: Flexible and Secure.
You have seven EALs. EAL 1 is the lowest, EAL 7 is the highest. You can check current levels and listings at the sites provided at the end of this article. The level defines the level of assurance.
Evaluation Assurance Levels EAL 1 covers the lowest and most basic of certifiable evaluation assurance. This rating surprisingly enough only covers ‘functionality’ of a product, not necessarily its security. As a matter of fact, this EAL rating means that the system will work in a production environment (it’s functional), but no security is tested on the system to achieve a EAL 1 rating. EAL 2 covers the next step in the rating system. Remember, the higher the rating, the more secure the system. It’s important to understand that this rating only implies that the code was reviewed by a looser set of standards than you would see in the next level EAL 3. Basically, with EAL 2, security mechanisms are now checked but moderately. This means that the code is checked but not as strictly as in level 3. EAL 3 becomes more strict, but again – no re-engineering of the code is done, the development process is not interrupted, EAL 3 can be achieved, but its still loose, not like 4 where costs are now involved to ‘fix’ what needs to be fixed to achieve a higher more stringent rating. EAL 4 (Windows 2000, NetWare, some Unix deployments) is the most common EAL level you will likely see. This is because it’s the first level that proves out that a system is safe, as the vendor was willing to ‘fix’ problems in the development process of the product to achieve this rating. EAL 4 incurs cost to the vendor, re-engineering is possible if flaws are found. EAL 5 is a higher level than four – not moderate at all, it’s a very strict process. EAL 5 would not be needed (the cost is higher, the time spent longer) to prove out what EAL 4 could. EAL 6 is different in that it applies specifically to clients requesting it being in very high risk situations that would warrant the additional time and costs of the certification. EAL 6 means that the systems development is based on security… the system must be secure. EAL 7 is only used in extreme high risk systems that cannot be exploitable – again the time spent longer and the cost of the assurance higher. The use of this level is limited to very specific systems with very specific security functionality.
Note: Another set of levels from the ITSEC can be found at the end of this article.
Summary:
In this article we covered why you should know and understand the Common Criteria Certification and how it directly reflects against Windows products. In Part II, we will cover the Windows 2000 certification and other Microsoft Products that have been certified and why its important to you, the Security Analyst.
References and Links: Microsoft.com site common criteria http://www.microsoft.com/presspass/features/2003/apr03/04-14WS03Security.asp
Common Criteria WebsitesUKhttp://www.cesg.gov.uk
UShttp://niap.nist.gov
Common Criteria Schemehttp://niap.nist.gov/cc-scheme/
EAL Levels http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=13
ITSEC Levelshttp://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=12
White Papers
Featured Products
Readers' Choice
Which is your preferred Endpoint Security solution?
AccessPatrol
DeviceLock
DeviceWall
GFI EndPointSecurity
Reflex Disknet Pro
Safend USB Auditor
USB CopyNotify!
Other
TechGenix Sites
ISAserver.org
The No.1 ISA Server 2006 / 2004 / 2000 resource site.
MSExchange.org
The leading Microsoft Exchange Server 2007 / 2003 / 2000 resource site.
WindowSecurity.com
Network Security resource for IT administrators.
WindowsNetworking.com
Windows Server 2008 / 2003 & Windows Vista networking resource site.
MSTerminalServices.org
A leading Microsoft Terminal Services and Citrix resource site.
Articles
Authors
Blogs
Books
ISA Server Articles
Links
Message Boards
Newsletter
RSS
Security Tests
Services
Software
White Papers
About Us :
:
Product Submission Form :
Advertising Information
WindowsSecurity.com is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers.
Copyright © 2008 TechGenix Ltd.
All rights reserved.
Please read our Privacy Policy and Terms & Conditions.
ðàçäåëû
mastercard
ôëþîðåñöåíòíûé êðàñêà
ïîêðàñêà ð÷â
êóïèòü êîíâåðòåð
âàííà ìîå÷íûé
áàê íàêîïèòåëü
íî÷íîé î÷êè
âàëåðèé áèëåò
ïåðñîíàëèçàöèÿ êàðòà
8800 gold edition
äåòñêèé ëàãåðü ïèîíåð
ãèäðàíò
äîñòàâêà êàíöåëÿðèÿ
äåðìàòî-âåíåðîëîã
âàãîíêà ïîëîâîé äîñêà
çàêàçàòü ìèêðîàâòîáóñ
êóïèòü îòâåä
äèõðîè÷íîå çåðêàëî
ñðåçàííûé öâåò
êóëåð êîìï
ñòàëüíîé òîïêèé spartherm
áèîýïèëÿöèÿ
ñïåöîáóâü ïðîèçâîäèòåëü
èìïëàíòàò
ýôèðíûé àíòåííà funke
êóëåð êîìï
êðèñòîôåð áðýíä
ðîòàöèîííûé rvg
ðåøåòêà îöèíêîâàííûé
pki
áàíêîâñêèé ñåéôîâûå ÿ÷åéêà
îäåâàíèå áàõèëà
5004.13 (êðûøêà)
óñòàíîâêà hotbird
pki
ìóëüòèìåòðû öèôðîâîé
ìýø
êâàíòîâûé ìåäèöèíà
êîíêóðåíòíûé ñòðàòåãèÿ
áóêìåêåðñêèé êîíòîðà øàíñ
õîëîäèëüíèê zanussi
ìàñëî îáëåïèõ.êîíöåíòðàò
ñêðèïò ðàññûëêà îáúâëåíèé
ïðîãðàììà øèôðîâàíèå
ìóñòàíã ëàçåð
ìèñòåð áèí
êñ-4361à
êóïèòü íèïåëü
îáåä
ïðîåêò ýëåêòðîïðîâîäêà
ìèñòåð áèí
ñîçäàíèå àíèìàöèîííûé êëèï
ïîêðûøêà áðèäæñòîóí
ñáîðùèê äîëã
ñëèì ëèôò
àíòåííà ðàäèî÷àñòîòíûé
àðî÷íûé êîíñòðóêöèÿ
ìàñêà êîñìåòè÷åñêèé
äåëîâîé êîñòþì
öâåò ãîðîä
dhl
ãàçîíîêîñèëêà dolmar
5004.14 (êðûøêà)
snr roulements
ìóëüòèìåòðû öèôðîâîé
êâàíòîâûé ìåäèöèíà
êðàíîâûé òåëåæêà
òîíèðîâêà ñòåêîë
ariston îïò
êóëåð êîìï
õåíäý ñîíàòà
ïðîèçâîäñòâåííûé òàðà
ïëàñòèêîâûé ïàêåò
ãàéêîâåðò
âàðî÷íûé ïîâåðõíîñòü hansa
ïåðåðàáîòêà ðåçèíà
äîñòàâêà íîóòáóê
âñïó÷èâàþùèéñÿ êðàñêà
êóëåð 775
òðóáîãèá
òðàíñïåðñîíàëüíûé ïñèõîëîãèÿ
êðàñíûé îáúÿâëåíèå
îïîâåùåíèå
êâàíòîâûé ìåäèöèíà
ìýø
êóëåð 478
âèòðèíà ìîðîæåíûé
øàðîøêà àëìàçíûé
ìåòðîðåêëàìà íèæíèéíîâãîðîä
ïîäáîð ýìàëü
êóëåð áåñøóìíûé
áëþäî ôàðôîð
çàêàçàòü ìèêðîàâòîáóñ
áèëåò áîëüøîé
ôàñàäíûé ïîêðûòèå
äîñòàâêà ñàíêò
õîëîäíûé îáçâîí
snr
áåñïëàòíûé íàðä
àíòåííà àêóñòîìàãíèòíûå
êóïèòü àâòîòåõíèêó
çàêàç îáåä
àðî÷íûé êîíñòðóêöèÿ
äðóæêîâà êðóæêà
qtek
îðãàíèçàöèÿ âèäåîêîíôåðåíöèÿ
âàçà 2112
îõîòà
õåíäý ñîíàòà
mobilux
ñåðâèñ àëüôà ëàâàëü
êîðïîðàòèâíûé èíîñòðàííûé
óðîê îõîòà
êðóæêà
óïðàâëåíèå êîñòðîìà
âàðî÷íûé ïîâåðõíîñòü hansa
êðåàòèí
ýôèðíûé àíòåííà kaasi
âûòÿæêà
ïàçë
fag
òóáà ìàøèíà
÷åðíûé êîôå
êîíâåéåð øíåêîâûé
ñåéôîâûå ÿ÷åéêà
òðîéíèê ïåðåõ
ñáîðùèê äîëã
ïðàìûøëåíûé àëüïèíèçì
êðóïíûé æèëèùíûé êîìïëåêñ
àâòîøêîëà
çàëîã êîñòðîìà
ïðîäàòü êàéò
óïðàâëåíèå èâàíîâî
ôåéðâåðê âå÷åðèíêà
îõîòà ïèðàíüÿ
òîíèðîâêà
ïåñêîñòðóéêà
ðàçâàëüöîâêà ïîäîãðåâàòåëü
ìåäèöèíñêèé ïåðåâîä
êðóòîé xxx âèäåî
êàïñóëà ìèàîçè
ìåæäóíàðîäíûé êîíêóðñ äåáþòàíò
êóïèòü ÷åéíäæåð
õåíäý ñîíàòà
êîíêóðåíòíûé àíàëèç
ëèñòîãèáû
âàçà 2112
âèííûé õîëîäèëüíèê
óêðåïëåíèå îòêîñ
êëåèòü íàíåñåíèå
óãëîâîé òåñòîìåñèòåëè
çåðêàëî babyliss
êîôå êîëîíèàëüíûé òîâàð
ðàê ïðîñòàòà
ñåðâåð hp
êîæãàëàíòåðåÿ
äîëã
ãàçîíîêîñèëêà stiga
ôàêñèìèëå
àëüïèíèçì
êîìïàíèÿ ïåòðîêàòðèäæ
êàòóøêà êîíòàêòîð
êîëîäåö êàíàëèçàöèîííûé ïëàñòèêîâûé
îò÷åòíîñòü ïáîþë
ëèäî ïåêàðíÿ
èçìåðèòåëü òåìïåðàòðû
îõîòà áûêîâà
mobil gargoyle
5004.14 (êðûøêà)
ôëàãøòîê âíóòðåííèé èñïîëüçîâàíèå
êóïèòü ñòèðàëüíûé
inerta êðàñêà
ýäàñ-134 àäåíîìà ïðåäñò.æ-çû
âèòðèíà ïîäîãðåâàåìûé
ïàïèëëîìà
trinity hi-fi
sikkens êðàñêà
êðèñòîôåð áðýíä
èòàëüÿíñêèé âèíà
íîæíîé ïëàñòûðü
õîëîäèëüíûé àãðåãàò
êóïèòü äæîéñòèê
èçîëåíòà õá
êóïèòü ýëåêòðîýíöåôàëîãðàô
áåãóùèé ñòðîêà
êîíêóðåíòíûé àíàëèç
certification microsoft