Microsoft Products Get Security Certified
It’s almost like getting the “Good Housekeeping Seal of Approval”
for your product’s security. A
number of Microsoft’s products recently got Common Criteria certification
- Windows Server 2003, Standard Edition (32-bit version) with SP1
- Server 2003, Enterprise Edition (32-bit and 64-bit versions) with SP1
- Server 2003, Datacenter Edition (32-bit and 64-bit versions) with SP1
- Server 2003 Certificate Server, Certificate Issuing and Management Components
(CIMC) (Security Level 3 Protection Profile, Version 1.0)
- Windows XP Pro with SP2
- Windows XP Embedded with SP2
Some earlier versions of those products had already attained CC certification
but without the Service Pack additions. The announcement has mostly flown under
the media radar, but it shouldn’t be casually dismissed as unimportant,
either. What’s significant about CC approval is that it’s independent
of Microsoft. CC is an international consortium of organizations that’s
established a set of common security standards it applies to products, which
are submitted by companies for testing. If the products meet those standards,
it’s awarded the CC certification. At the higher certification levels,
it’s not easy to get. And all products, whether they be from Microsoft,
Oracle, CA and so on, get tested the same way for the same level. No favoritism
A note of caution also applies, however: The certification means only that
a product is securable to a certain standard, *not* that it’s secure out
of the box or in a default configuration. You still have to perform due diligence
to secure the computer in question. Still, it’s nice to know that if you
know what you’re doing, these Microsoft products can be secure. Another
small step in the Trustworthy Computing initiative for Redmond.
The Least of These
Elsewhere on the security front, a couple of Microsoft consultants have been
pushing hard the idea of least-privileged user accounts (LUA).
Malware can do the maximum amount of damage when it gains admin-level privileges
in a system. That applies to the ginormous (five points if you can give
me the reference for that word. Hint: it’s Christmas-related) majority
of Windows users; nearly all of us, and the users on our networks, are local-machine
admins. Keeping the privileges at a lower state, as is the case on Macs, means
less harm can be done, even if an attacker gains user privileges.
to Redmond Report
was originally published in our weekly Redmond Report newsletter.
To subscribe, click here.
This isn’t really the system administrator’s fault; it’s
largely out of necessity, since the majority of Windows programs are written
to require admin-level rights to fully function. The call to do away with this
hideous situation has been heard for years, but hasn’t gained much momentum.
The new idea presented by the Microsoft evangelists is an online clearinghouse
for developers, where they can get training and tools to help them build the
principles of LUA into their code.
This is a sensational idea, and Microsoft may contribute one of the first tools
to the clearinghouse. As esteemed Windows watcher (and new Redmond magazine
Jo Foley reports, “Microsoft is readying a new tool, tentatively named
‘LUA Buglight,’ that will find code bugs that impact compatibility
for non-admin users.” So if you’re writing the next mission-critical
app for your company, and apply the Buglight, it’ll tell you where the
program will break for non-admin-level users.
Let’s hope the clearinghouse idea catches on, and LUA picks up steam,
until developers write it into every Windows-based program. We’ll all
be a lot safer when that happens.
I’m So Glad We Had This Time Together
Finally, let me say how much I’ve enjoyed stepping into Doug’s shoes
this week and writing for Redmond Report. Doug mentioned that the feedback
he gets from readers is his favorite part of doing this newsletter. I can see
what he means. Please don’t hesitate to contact either of us with questions,
concerns, complaints or large cash contributions. I’m at [email protected].
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.