NSA Adds Windows 10 and Surface to List for Classified Use

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Microsoft has published a blog post bragging about how Windows 10 is the most secure OS they have ever made. In fact, it has even been officially cleared for classified government use—NSA workers can now deck the halls with Surface hardware, which have been determined to be the only devices that can “meet the highest security requirements for use in classified environments.” Another talking point is “Surface Enterprise Management Mode” (SEMM), a feature that can lock down a device at the firmware level and maintain those permissions even in the event of theft.

The company has announced that Windows 10 has been added to the list of NSA's Commercial Solutions for Classified Programs (CSfC). Similarly, the Surface Pro 3, Pro 4, and Book are the only hardware devices running Windows 10 that meet the "high security requirements". Microsoft also says that it has added another layer of hardware security for Surface devices called Surface Enterprise Management Mode (SEMM). This enhanced layer of security allows IT managers in organizations to take ownership, lock down, and modify hardware configurations, networking capabilities and application access within the device firmware. SEMM can be deployed on Surface Pro 4, Book, and Studio. Additionally, the company is also extending device management in Windows 10 by bringing more security settings to MDM solutions with the upcoming Creators Update.
 
Not surprising (must have finished their source code review)... kind of needed as the rest of FIVE EYES are in process of testing/rolling out Windows 10. When it comes to centralized enterprise level control Microsoft has that down hard and on the classified front they have been doing this since the Win9X days. The OS is just one part of many in a classified network system. Side note: I don't look forward to its rollout on my country's unclassified systems if Office 2013 is any indication of the potential incompatibilities.
 
Delicieuxz said:
More misleading Windows 10 propaganda from Microsoft.

If Windows 10 is the most secure OS Microsoft have ever made, then how come Windows 7 was literally significantly more secure than Windows 10 in 2016?


Ranking of the most vulnerable OSes of 2016:

Product Name | Vendor | Product Type | # of Vulnerabilities

1 Android Google OS 523
2 Debian Linux Debian OS 319
3 Ubuntu Linux Canonical OS 278
4 Flash Player Adobe Application 266
5 Leap Novell OS 259
6 Opensuse Novell OS 228
7 Acrobat Reader Dc Adobe Application 227
8 Acrobat Dc Adobe Application 227
9 Acrobat Adobe Application 224
10 Linux Kernel Linux OS 217
11 Mac Os X Apple OS 215
12 Reader Adobe Application 204
13 Windows 10 Microsoft OS 172 **
14 Chrome Google Application 172
15 Iphone Os Apple OS 161
16 Windows Server 2012 Microsoft OS 156
17 Windows 8.1 Microsoft OS 154
18 Windows Rt 8.1 Microsoft OS 139
19 Edge Microsoft Application 135
20 Windows 7 Microsoft OS 134 **
Click to expand...

That list seems rather suspect since Flash Player isn't number 1.
 
Delicieuxz said:
More misleading Windows 10 propaganda from Microsoft.

If Windows 10 is the most secure OS Microsoft have ever made, then how come Windows 7 was literally significantly more secure than Windows 10 in 2016?


Ranking of the most vulnerable OSes of 2016:

Product Name | Vendor | Product Type | # of Vulnerabilities

1 Android Google OS 523
2 Debian Linux Debian OS 319
3 Ubuntu Linux Canonical OS 278
4 Flash Player Adobe Application 266
5 Leap Novell OS 259
6 Opensuse Novell OS 228
7 Acrobat Reader Dc Adobe Application 227
8 Acrobat Dc Adobe Application 227
9 Acrobat Adobe Application 224
10 Linux Kernel Linux OS 217
11 Mac Os X Apple OS 215
12 Reader Adobe Application 204
13 Windows 10 Microsoft OS 172 **
14 Chrome Google Application 172
15 Iphone Os Apple OS 161
16 Windows Server 2012 Microsoft OS 156
17 Windows 8.1 Microsoft OS 154
18 Windows Rt 8.1 Microsoft OS 139
19 Edge Microsoft Application 135
20 Windows 7 Microsoft OS 134 **
Click to expand...


So how secure was windows 7 the first year it was out?
 
You have to wonder how much original 2009 code is left in a fully 2017 patched install of Windows 7.
 
They cleared it for classified use not because its secure and hard to break in, rather they cleared it because if someone does break in they know instantly who where and when. Its like using a security camera, does nothing to actually prevent theft or break-ins, but allows you to find the perpetrators quickly and apprehend them faster. Windows 10 is basically one giant security camera watching everyone who interacts with it.
 
Krazy925 said:
Android definitely makes sense, especially with some phones never getting updates.
Click to expand...

That's not so much the issue, the issue is people downloading from third party repositories in order to get free software. Download purely from the Play Store and disable 'allow the installation of apps from other sources' and Android is actually quite secure.
 
You do realize that number of patches doesn't equal the security level of an OS. For instance if you consider the sheer number of "applications" that are considered part of Linux then you might be surprised that each of the various releases aren't always at the top of the list. However, Linux is often considered one of the more secure OS's. Much of the security of an OS comes from the ability to prevent a vulnerability from being able to do large amounts of damage. Windows 10 has introduced new capabilities to do this. Similarly WIndows 7, and most versions of RHEL have all been approved for use in the past so this really isn't anything new.
 
Delicieuxz said:
More misleading Windows 10 propaganda from Microsoft.

If Windows 10 is the most secure OS Microsoft have ever made, then how come Windows 7 was literally significantly more secure than Windows 10 in 2016?


Ranking of the most vulnerable OSes of 2016:

Product Name | Vendor | Product Type | # of Vulnerabilities

1 Android Google OS 523
2 Debian Linux Debian OS 319
3 Ubuntu Linux Canonical OS 278
4 Flash Player Adobe Application 266
5 Leap Novell OS 259
6 Opensuse Novell OS 228
7 Acrobat Reader Dc Adobe Application 227
8 Acrobat Dc Adobe Application 227
9 Acrobat Adobe Application 224
10 Linux Kernel Linux OS 217
11 Mac Os X Apple OS 215
12 Reader Adobe Application 204
13 Windows 10 Microsoft OS 172 **
14 Chrome Google Application 172
15 Iphone Os Apple OS 161
16 Windows Server 2012 Microsoft OS 156
17 Windows 8.1 Microsoft OS 154
18 Windows Rt 8.1 Microsoft OS 139
19 Edge Microsoft Application 135
20 Windows 7 Microsoft OS 134 **
Click to expand...


So let's look at it from the perspective of the type of vulnerability.

Windows 7
Windows 10

The total of exploits from 2015 to current.

DOS - Windows 7:16 Windows 10:10
Code Execution - Windows 7:91 Windows 10:64
Overflow - Windows 7:30 Windows 10:26
Memory Corruption - Windows 7:15 Windows 10:13
SQL Injection - Windows 7:0 Windows 10:0
XSS - Windows 7:0 windows 10:0
Directory Transversal - Windows 7:1 Windows 10:0
HTTP Response Splitting - Windows 7:0 Windows 10:0
Bypass - Windows 7:35 Windows 10:29
Gain Info - Windows 7:44 Windows 10:35
Gain privlidge - Windows 7:131 Windows 10:108
CSRF - Windows 7:0 Windows 10:0
File Inclusion - Windows 7:0 Windows 10:0

Windows 7 Exploits - 363
Windows 10 Exploits - 285

So yeah, there was more 10 exploits found last year, but it still has had fewer exploits than 7 has in the during the length of its release. If you think it's propaganda take them to court.
 
Delicieuxz said:
Propaganda, especially corporate propaganda, is not a punishable crime in the USA (and probably many other places).
Click to expand...

But saying it's safer when it really isn't is, and the numbers show it has fewer exploits in the same time period. And even your reasoning for launch year exploits can be off if you consider launch, 1511 and 1607 versions of 10 as different operating systems because every exploit didn't apply to every version. It's all opinion anyways
 
Please stop using the number of vulnerabilities as a blanket measure of security. I'm not a security professional but even I know that this is but one angle to review security of a system. Think about the dozens and hundreds of other vectors there are. Instead of making clearly skeptical comments about the NSA and meeting government compliance standards being propaganda or a ruse or fixing the game, maybe one can actually take it at face value and consider that these certifications are made based on very rigorous testing and must meet very restrictive criteria and standards. For sure there are other devices like blackberry or android which can be super-locked down also. I would actually be curious to know if there is a desktop version of Linux for example which meets these same standards and is accepted by government agencies.
 
g-money said:
I would actually be curious to know if there is a desktop version of Linux for example which meets these same standards and is accepted by government agencies.
Click to expand...

Red Hat Enterprise Linux for sure, it's listed on the NSA site.

You can see a whole bunch of Samsung/Apple devices are also approved. These products aren't hardened out of the box, certification means they have a procedure to harden them.
 
You must log in or register to reply here.
Back
Top