SQL Server 2000 gets C2 certification; security tests under way for Win 2000

SQL Server 2000 gets C2 certification; security tests under way for Win 2000

By Patricia Daukantas

GCN Staff

SQL Server 2000 is the first Microsoft Corp. database management system to be certified at the C2 security level through the government's Trust Technology Assessment Program.

'We decided to go after this because there is a large market for C2-approved databases,' said Jeff Ressler, Microsoft's lead product manager for SQL Server 2000.

The DBMS met the C2 standard 'out of the box' without any special patches or upgrades when installed under a C2-compliant operating system, he said.

Many government software contracts require C2-level security, also known as controlled access protection.

'What's more common is that a government contract will require a C2-approved database but not necessarily take advantage of all the C2 security features in the product,' Ressler said.

Science Applications International Corp. of San Diego performed the certification testing with Microsoft funding. The National Security Agency and the National Institute of Standards and Technology jointly run the government's security certification program. NSA and NIST accept test results from approved third parties.

The evaluation took about 14 months to complete, which was less time than it took SAIC to certify Microsoft Windows NT 4.0 at C2, Ressler said.

The evaluated configuration was SQL Server 2000 8.0 running under Windows NT 4.0 with Service Pack 6a and a C2 upgrade. The amended version of NT 4.0 received C2 certification early this year [GCN, Feb. 7, Page 50].

SQL Server 2000 is available to Microsoft Developers Network subscribers and through the Microsoft Select volume licensing program. Defense Department agencies can obtain it through the DOD Enterprise Software Initiative, Microsoft spokesman Keith Hodson said.

More tests

Meanwhile, Microsoft is starting to test its Windows 2000 platform under the National Information Assurance Partnership's Common Criteria evaluation and validation scheme, said Pat Arnold, director of information assurance for Microsoft's federal group.

The Common Criteria program, also administered by NIST and NSA, evaluates operating systems, firewalls and other software based on a set of international standards [GCN, June 12, Page 32].

DOD wants all server products it uses evaluated by 2002, Hodson said.

inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above