Microsoft products earn Common Criteria certification
- By Brad Grimes
- Dec 14, 2005
Microsoft Corp. today received Common Criteria certification from the National Information Assurance Partnership for several Windows products. The company made the announcement at its Security Summit East in Washington.
All the products earned security certification at Evaluation Assurance Level 4+. EAL 7 is the highest level of certification.
'Certification of these Windows platform products, which includes evaluation of the broadest set of real-world scenarios of any operating system platform today, underscores our deep and ongoing commitment to the Common Criteria process,' said Steve Lipner, Microsoft's senior director of security engineering strategy, in a statement.
The Microsoft products that earned EAL 4+ certification are:
- Windows Server 2003 Standard Edition with Service Pack 1
- Windows Server 2003 Enterprise Edition (32- and 64-bit versions) with Service Pack 1
- Windows Server 2003 Datacenter Edition (32- and 64-bit versions) with Service Pack 1
- Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
- Windows XP Professional with Service Pack 2
- Windows XP Embedded with Service Pack 2.
Certification of Windows is a significant development for a company that had endured years of ridicule for the insecurity of its products. Four years ago Microsoft chief software architect Bill Gates issued a memo making security a top priority, and the company took steps toward locking down Windows and other Microsoft products, including a new Security Development Lifecycle process for creating software. The company said it employed SDL for several of its latest products, including Visual Studio 2005, SQL Server 2005 and BizTalk Server 2006.
Last week at a breakfast attended by government contractors, Microsoft CEO Steve Ballmer said the company had 'made great progress' in improving the security of its products. Common Criteria EAL 4+ may be the strongest measure yet of that progress.
The Microsoft products were evaluated against the Controlled Access Protection Profile, Lipner told GCN, one of several profiles that test different aspects of security. CAPP assures that OS access controls enforce limitations on the actions that users and data objects can perform on a system.
Red Hat Enterprise Linux 5 and Sun Solaris 10 are currently in EAL 4 testing. Solaris 10, for example, is undergoing CAPP testing as well as testing against the Role-Based Access Control Protection Profile, which describes how the software handles the roles or rights applied to a group of users. An earlier version of Solaris known as Trusted Solaris is also certified for the Labeled Security Protection Profile.
While such certification can help agencies identify appropriate operating systems for secure environments, experts warn that not all assurance levels, including EAL 4+, can guarantee security
in Internet-facing systems.