Microsoft has certified Windows 2000 against the ISO Common Criteria and will do the same with both Windows XP and Windows .NET Server, in a sign of the Windows division’s continuing focus on improving the security of its products. Windows 2000 with Service Pack 3 has been awarded Evaluation Assurance Level 4 (EAL4) for the Common Criteria (CC) version 2.1. These criteria are also known as the International Organisation for Standardisation (ISO) Evaluation Criteria for Information Technology Security (ISO 15408) and are the result of collaboration between national security and standards organizations from Canada, France, Germany, the Netherlands, the United Kingdom, and the United States. Customers should not read too much into such a certification, as applying the criteria against how a given organization specifically configures and administers Windows is not easy.

In the U.S., the supporting agencies are the National Institute for Standards and Technology and the National Security Agency, and the CC reflects criteria from both the Federal Criteria for Information Technology Security version 1.0 and the Trusted Computer System Evaluation Criteria (TCSEC or "Orange Book"). This rating for Windows 2000 Server is analogous to the C2 rating of Windows NT. A mutual recognition agreement commits the collaborating countries to recognize the certification of products against the CC as if the product has been evaluated against a collaborating country’s own standard.

The EAL4 evaluation means that the product being evaluated was methodically designed, tested for vulnerabilities, and reviewed to ensure that it can be configured securely.

Rather than a complete line-by-line examination of the Windows code for vulnerabilities, the ELA4 evaluation indicates that in the view of the independent examiner, Windows 2000 with Service Pack 3, validated against a set of implementation-independent security requirements, confirms that Microsoft used a design, development, and testing approach that supports the development of a secure product.

The ELA4 evaluation does not mean that there will never be another vulnerability or security bug in Windows or that merely installing Windows provides a secure environment. It does mean that the underlying design supports the development of an operating system that could be secure. Microsoft did have Windows 2000 evaluated for "flaw remediation," an additional level of evaluation that augments the ELA4 for products that need to evolve rapidly to meet changing threats.

Microsoft is providing documents for users and administrators that detail the evaluation environment and provide an overview of the Windows 2000 security functions that must be performed by the administrator to securely configure and manage the system in the same manner as the evaluated configuration.

This certification also shows that Microsoft is willing to invest significant resources, including time, money, and personnel, for an independent review of the Windows design process as it relates to security. This review began well before the company’s Trustworthy Computing initiative was launched in early 2002. Passing such a review does allow Microsoft to defuse some criticism of Windows security, and it allows Microsoft and its partners to bid on systems where customers, such as government agencies, require compliance with these security criteria.

Resources

For information on the Common Criteria, see www.commoncriteria.org.

For information about Microsoft’s certificate for CC-ELA4, including profile information, see niap.nist.gov/cc-scheme/CCEVS-VID402.html.

Microsoft’s guides for interpreting and using the Common Criteria are at www.microsoft.com/technet/security/issues/w2kccwp.asp.