Microsoft products earn Common Criteria certification

Microsoft Corp. today received Common Criteria certification from the National Information Assurance Partnership for several Windows products. The company made the announcement at its Security Summit East in Washington.

All the products earned security certification at Evaluation Assurance Level 4+. EAL 7 is the highest level of certification.

'Certification of these Windows platform products, which includes evaluation of the broadest set of real-world scenarios of any operating system platform today, underscores our deep and ongoing commitment to the Common Criteria process,' said Steve Lipner, Microsoft's senior director of security engineering strategy, in a statement.

The Microsoft products that earned EAL 4+ certification are:
  • Windows Server 2003 Standard Edition with Service Pack 1

  • Windows Server 2003 Enterprise Edition (32- and 64-bit versions) with Service Pack 1

  • Windows Server 2003 Datacenter Edition (32- and 64-bit versions) with Service Pack 1

  • Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)

  • Windows XP Professional with Service Pack 2

  • Windows XP Embedded with Service Pack 2.

Certification of Windows is a significant development for a company that had endured years of ridicule for the insecurity of its products. Four years ago Microsoft chief software architect Bill Gates issued a memo making security a top priority, and the company took steps toward locking down Windows and other Microsoft products, including a new Security Development Lifecycle process for creating software. The company said it employed SDL for several of its latest products, including Visual Studio 2005, SQL Server 2005 and BizTalk Server 2006.

Last week at a breakfast attended by government contractors, Microsoft CEO Steve Ballmer said the company had 'made great progress' in improving the security of its products. Common Criteria EAL 4+ may be the strongest measure yet of that progress.

The Microsoft products were evaluated against the Controlled Access Protection Profile, Lipner told GCN, one of several profiles that test different aspects of security. CAPP assures that OS access controls enforce limitations on the actions that users and data objects can perform on a system.

Red Hat Enterprise Linux 5 and Sun Solaris 10 are currently in EAL 4 testing. Solaris 10, for example, is undergoing CAPP testing as well as testing against the Role-Based Access Control Protection Profile, which describes how the software handles the roles or rights applied to a group of users. An earlier version of Solaris known as Trusted Solaris is also certified for the Labeled Security Protection Profile.

While such certification can help agencies identify appropriate operating systems for secure environments, experts warn that not all assurance levels, including EAL 4+, can guarantee security in Internet-facing systems.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected