Windows 2000 Gains Common Criteria Certification

Microsoft has certified Windows 2000 against the ISO Common Criteria and will do the same with both Windows XP and Windows .NET Server, in a sign of the Windows division’s continuing focus on improving the security of its products. Windows 2000 with Service Pack 3 has been awarded Evaluation Assurance Level 4 (EAL4) for the Common Criteria (CC) version 2.1. These criteria are also known as the International Organisation for Standardisation (ISO) Evaluation Criteria for Information Technology Security (ISO 15408) and are the result of collaboration between national security and standards organizations from Canada, France, Germany, the Netherlands, the United Kingdom, and the United States. Customers should not read too much into such a certification, as applying the criteria against how a given organization specifically configures and administers Windows is not easy.

In the U.S., the supporting agencies are the National Institute for Standards and Technology and the National Security Agency, and the CC reflects criteria from both the Federal Criteria for Information Technology Security version 1.0 and the Trusted Computer System Evaluation Criteria (TCSEC or “Orange Book”). This rating for Windows 2000 Server is analogous to the C2 rating of Windows NT. A mutual recognition agreement commits the collaborating countries to recognize the certification of products against the CC as if the product has been evaluated against a collaborating country’s own standard.