Microsoft Windows earns Common Criteria certification

Several of Microsoft's Windows platform products have achieved a Common Criteria certification of EAL 4+, according to the company.

Several of Microsoft's Windows platform products have achieved a Common Criteria certification of 4+, a rating that bolsters their profile among government and other vertical-market customers that have high-security needs for IT products, a company spokesman said Wednesday.

Common Criteria is a standard evaluation rating issued by the National Information Assurance Partnership that primarily government customers use to evaluate the security of IT products before making purchasing decisions.

Both 32-bit and 64-bit versions of Windows Server 2003, Standard Edition with Service Pack 1; Windows Server 2003, Enterprise Edition with Service Pack 1; and Windows Datacenter Edition with Service Pack 1 have achieved Common Criteria (CC) Evaluation Assurance Level 4, Augmented with ALC_FLR.3 certification, said Mario Juarez, senior product manager in the Security Technology Unit at Microsoft. The certification is more commonly known as EAL 4+, with the "+" denoting the addition of the ALC_FLR.3 certification, he said.

The highest level of the Common Criteria certification is EAL 7. Other Windows software that has been rated EAL 4+ includes Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (Security Level 3 Protection Profile, Version 1.0); Windows XP Professional with Service Pack 2; and Windows XP Embedded with Service Pack 2.

Juarez said that Microsoft began the evaluation process for the Windows Server 2003 software about two years ago, and tested the products together as an end-to-end platform rather than separately because they typically will be used in that scenario. "If we say a certain security threat is going to hit a system, in our case we're talking about the whole [Windows] platform," he said.

Microsoft had previously reached the EAL 4 rating for Windows Server 2000, but did not test the server OS with other pieces of software that typically would run with it, Juarez added.

Russ Cooper, editor of the NTBugtraq mailing list and a scientist at security vendor Cybertrust, called Microsoft's achievement of EAL4+ "wonderful," but questioned whether IT administrators and engineers will have to tweak Windows to achieve settings that recreate the OS scenarios that were evaluated.

"Sometimes you have to install the software and then do some things to achieve the certification, [such as] turn off insecure services," he said. "The real question is what gyrations do you have to do to the operating system and how functional is it when you've done that. If [Microsoft says], 'We've achieved this out of the box with a default installation,' then that's a big deal."

Microsoft could not immediately confirm if the Windows platform achieved its EAL 4+ certification through default settings.

Government customers have historically deployed a lot of Unix in their environments because of its tendency to be extremely secure, and in recent years also began using Linux, an open-source version of Unix, as another OS option. Currently, Red Hat is testing its Red Hat Enterprise Linux 4 for EAL 4. SUSE Linux Enterprise Server 9 has achieved EAL 4 certification on an IBM eServer, according to the Web site of Novell Inc., which owns SUSE Linux.

In the past few years, Microsoft has come under considerable fire due to the insecurity of Windows. As a result, the company became concerned not only with fixing Windows' security holes, but also with customers' perception that Windows is not sufficiently safe enough for deployments that require the highest level of security, Juarez said.

The company has made and continues to make a concerted effort to ensure Windows is more secure so customers can feel confident deploying it in any IT environment, he said. The Common Criteria EAL 4+ certification is just one result of that effort.

"Three years ago we realized we needed to step it up a bit on multiple fronts and we began to look very comprehensively at security," Juarez said. "[Common Criteria evaluation] was not a decision we made lightly. It's an investment of time and financial resources, and you put your product through a process that influences the development of the product. We made sure it was something customers cared about before we took that step."

(Robert McMillan in San Francisco contributed with this story.)

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Elizabeth Montalbano

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?