Thoughts on Recent Microsoft Common Criteria News

Through Slashdot I hunted down this story about certain Microsoft products being awarded Common Criteria (CC) Evaluation Assurance Level (EAL) 4 Augmented with ALC_FLR.3 certification. They include:

  • Microsoft Windows Server™ 2003, Standard Edition (32-bit version) with Service Pack 1

  • Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1

  • Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)

  • Microsoft Windows XP Professional with Service Pack 2

  • Microsoft Windows XP Embedded with Service Pack 2

Achieving this certification is important to Microsoft, because of certain laws:

"[E]ffective 1 July 2002... departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modules that have been validated with the International Common Criteria for Information Technology Security Evaluation, the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Cryptographic Module Validation Program."

It is important to remember that "EALs refer to the level of confidence in the conclusions of the evaluation, and not to the level of secrity the product provides. In other words, you can have more confidence that a EAL4 product performs as advertised than an EAL2 product... But an EAL4 product will not necessarily provide more security."

What really matters is the Protection Profile used to evaluate the products. I read that "[t]he Microsoft products were evaluated against the Controlled Access Protection Profile," (CAPP) which is available here (.pdf). Here are a few choice excerpts from the CAPP. Where you see "TOE", think "Microsoft system".

  • The system does not have to defend itself against physical attacks: "The processing resources of the TOE will be located within controlled access facilities which will prevent unauthorized physical access."

  • Sorry, I had to highlight this statement: "There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains."

  • The following implies that the evaluated system should not be a publicly accessible server: "Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. CAPP-conformant TOEs are applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain."

If you continue reading the document, you'll find a great deal of requirements for keeping audit records, authorizing users, vendor-provided documentation, and so forth. This is probably not what people first imagine when they think of "secure" products.

Keep these assumptions in mind when you consider the importance of Microsoft products achieving EAL-4 certification.

Update: You can download the Windows XP / Server 2003 Common Criteria Evaluation Technical Report in .zip format.


Anonymous said…
Haven't we been through this already? Yes, we have.
Sean C said…
On a similiar thread..., I know that the Sidewinder firewall also has achieved an EAL4+ rating:

"It recently achieved the highest level of EAL4+ Common Criteria certification possible (far stronger than other vendors' EAL4 ratings)."

The reason I write this is simply in Jan 2006, I start a contract we're I'll be supporting Sidewinder Firewalls. I never heard of Sidewinder before but had heard of the EAL rating from my studies for the CISSP (no..., don't want to start a CISSP thread). Just curious if anyone has any comments on the Sidewinder.

Richard - I apologize for going off topic.

Thx, Sean C
Anonymous said…
Common Criteria is a sales tool for IT companies to peddle products and services to Government; nothing more, nothing less. The amazing thing is that most of the products do not reach the CC rating 'out of the box'. For example, if a Government user would like Windows XP Professional SP2 to reach EAL4, it sure isn't set up that way following installation. Normally, many separate runs of 'lockdown', registry tweaks, Security Policy configurations, etc. must be done to even attempt reaching the 'clamied' EAL4. After that, try using it as a Workstation ;-). Good luck if you can do word processing with it.

Sad to see that Government is still setting itself up for failure by limiting itself to 'NIAP Certified' products. More like 'high priced' goods due to the costs associated with getting an 'EAL 4+' certification. Companies have to recoup these costs somehow...usually by charging premium rates later...
Chris Buechler said…
It's good to see "competent individuals assigned to manage" in there. That's the biggest problem with security of any system. As much as *nix fan boys bash MS security, when it comes down to it, a well managed Windows server is just as secure as a well managed *nix server in most cases.

The security of any server, network device, application, etc. is *heavily* reliant upon the competency of its administrator to ensure the system is secure and stays that way.
Anonymous said…

It is also *heavily* reliant on the management of the company that the system resides in.

Management can overrule any administrators insistance to secure the box properly. Of course the administrator can move on to another job, but the box still isn't secure despite a compotent administrator being there.

There needs to be policy and procedure in place to *ALLOW* the administrator to properly secure the box (given the environment).

This may be why we see so many broken into systems in both the Government and private industry, and the need for such regulations as HIPPA, GLBA, et. al.
Anonymous said…
A few comments on a previous post:

Re: (anon) Common Criteria is a sales tool for IT companies to peddle products and services to Government; nothing more, nothing less.

Common Criteria is much more. In addition to being a sales/marketplace discriminator, Common Criteria is an evaluation methodology that can help product vendors improve their SDLC (including design, documentation, testing, etc.).

Moreover, Common Criteria evaluation is a requirement for IA and IA-enabled products sold into the US Federal and Global governments. The US has horizontal policies for procuring only products that meet Common Criteria, and certain agencies have vertical requirements that are more detailed (e.g., requiring adherence to a Protection Profile).

The amazing thing is that most of the products do not reach the CC rating 'out of the box'.

Because of the nature of the CC, it doesn’t necessarily always make sense for a product to be configured for CC out of the box. Of course, it's doable, especially at lower assurance levels. But at higher assurance levels, the CC requires more stringent documentation and assurance measures against the product's functional requirements. The problem is that end users do not always have the same stipulations for functional requirements to be evaluated. Even if the product is shipped in evaluated configuration, the end user will need to configure the product according to their respective systems security policies and postures. Oftentimes this conflicts with the evaluated configuration of the point products, but that's a discussion for another time.

Companies have to recoup these costs somehow...usually by charging premium rates later...

This is not the case. I ran the security assurance program for one of the most active product vendors in the FIPS 140/Common Criteria certifications space, and there is little to no room to add cost-recovery mechanisms to certified products. Why? Well, having certification is the ante to sell certain products to Government. Past that, the potential buyer will look at performance, interoperability, and cost. Product vendors can not and do not typically increase costs to products sold to government to recover certification costs because the market (e.g., a competitor) does not. The cost essentially materializes as the 'cost of doing business'.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4