, The Register 2002-10-31
Windows users whose spirits lifted at this week's announcement of Common Criteria certification* for Microsoft's Windows 2000 would do well to take a look at some of the assumptions and restrictions associated with the tested system. While perhaps not as extreme as when NT passed Orange book certification so long as it wasn't connected to a network, these do seem just a little restrictive and artificial.Not, of course, that it's much different for any other manufacturer's products - security certifications are all very well, but tend to become of doubtful value as soon as the real world starts creeping in.
You can find various assumptions about the Common Criteria test system listed here, and indeed if you rattle around the general vicinity on TechNet you'll find lots of information about putting together your own test system, and - more usefully - sensible advice for securing your systems in the real world. Here though we have a description of an "evaluated configuration," consisting of a TOE (Target of Evaluation) which "includes a homogenous set of Windows 2000 systems that can be connected via their network interfaces and may be organized into domains." OK?
Now, if you tear down to 3.3, Connectivity Assumptions, you'll see these include "all connections to peripheral devices reside within the controlled access facilities" and "any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. The TOE is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain. There are no security requirements that address the need to trust external systems or the communications links to such systems."
In the first case therefore we're talking about the physical location of the system being secure, while the second has a number of implications. The "same management control" and "same security policy constraints" mean that anything the TOE communicates with has to be, effectively, part of the TOE or the certification doesn't apply. Lob in other operating systems (even Microsoft ones, never mind Linux, and there's goes any dream you had of Common Criteria security. As for: "There are no security requirements that address the need to trust external systems or the communications links to such systems," we think that boils down to 'anything outside of the TOE is the Badlands.'
Section 3.4 is pretty self-explanatory, no crazy and/or embittered staff allowed (we rather like A.NO_EVIL_ADM though) while 3.5 requires padlock on processors, security hardware and security software. "The hardware protects the TSF in ensuring that only the TSF can be started" means no boot floppies, and these days no ability to boot CDs either.
The security professional who drew our attention to this wishes to remain anonymous (thanks anyway, masked man), but comments: "So maybe not quite as restricted as the original Windows NT non-networked certification, but still a far cry from most installations. Microsoft/SAIC [ Science Applications International Corp, the testing outfit] appear to have embraced and extended the CAPP profiles - I think in an honest fashion, though picking a few extra policies (on top of CAPP) may make it harder for the competition to do a like-for-like comparison. There are other profiles, though - COTS and CSPP are also appropriate." ®