Mailinglist Archive

[In the interest of fairness and equality, our resident Microsoft
man-on-the-street Glenn forwards this info.  -  jjk]

-------- Forwarded Message --------
From: Glenn Schoonover 
Subject: FW: NSA Completes Windows XP and Windows Server 2003
Vulnerability Analysis
Date: Tue, 19 Jun 2007 17:16:50 -0700


NSA Completes Windows XP and Windows Server 2003 Vulnerability Analysis
 
At the end of April, the National Security Agency (NSA) completed their
vulnerability analysis of Windows XP SP2 and Windows Server 2003 under
the Common Criteria evaluation. This vulnerability analysis represents a
highly unique and special milestone for the software industry led by
Microsoft as this is the first time a commercial operating system has
met NSA’s demanding vulnerability analysis.  Essentially the NSA
vulnerability analysis was used to determine how well Windows XP SP2 and
Windows Server 2003 SP1 withstood sophisticated NSA attack scenarios
through what is known as penetration testing.  The penetration testing
methods used to determine if Windows XP and Windows Server were
resistant to attacks is described as “those performed by attackers
possessing a high attack potential”. The NSA has officially and publicly
acknowledged Windows XP and Windows Server 2003 are resistant to
penetration attacks performed by attackers with high attack potential;
reference: http://www.niap-ccevs.org/cc-scheme/st/?vid=9506. 

Leading the Industry with Real World Scenarios

Microsoft continues to lead the industry by submitting products for
Common Criteria evaluation that depict real-world scenarios. The level
of functionality evaluated in the Windows XP SP2 and Windows Server 2003
SP1 Common Criteria evaluations combined with the level of vulnerability
scrutiny by NSA continues to exceed, not only the intent of Common
Criteria but also the norm for the software industry. Our “competitors”
simply evaluate minimal capabilities that far from reflect how the US
Government deploys, operates and uses enterprise class operating systems
in supporting their business requirements.  The competition evaluates
FTP server capability, and file and print servers–essentially barebones,
1980’s technology:
(http://www.microsoft.com/windowsserver/facts/analyses/eal4compare.mspx ).

Taking Security Serious 

If our customers take security serious and take the time to reflect on
the results of a Common Criteria evaluation –specifically our target of
evaluation, it becomes obvious Microsoft takes security very
seriously. Instead of just meeting the minimum requirements, we
evaluated Active Directory, IPSEC, file and print, IIS, TCP/IP, rich
networking capabilities; Windows client together with Windows Server,
the distributed security mechanisms, --the list goes on.

                   NOBODY ELSE HAS COME CLOSE TO THIS

Our goal was simple; we should evaluate a real Windows domain
architecture – something useable and representative of a customer’s
environment for which they can have confidence in will support their
real business and mission needs today and into the future.  Why would
anyone conduct an evaluation any different than this?  Why would a
customer accept anything any different than this?

The Evaluation Future

And then to top it off, the real magic behind our security is in our
code quality and the Security Development Lifecycle (SDL) which while
used in part for the Windows XP SP2 and Windows 2003 evaluation, the SDL
was not a finalized or a fully implemented process when we began the
development of Windows XP and Windows Server 2003.  The SDL work that
went into the development of Window Vista and Windows Server 2008
(Longhorn) and the NSAs vulnerability analysis continue to lead the
industry with NSAs recent announcement the Windows Vista will be the
first operating system to be evaluated under the replacement for Common
Criteria, the Commercial Operating System Assessment. Windows Vista and
Windows Server 2008 will also be evaluated under Common Criteria for
other governments.